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A  new  language  for  enforcing  privacy  compliance  emeri 


Users  of  Windows  Datacenter  get  a  better  Java  option; J. 
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It’s  a  dangerous  world, 
and  not  just  outside  the 
firewall.  Clueless  and  dis¬ 
gruntled  employees  are  an  IT  secu¬ 
rity  problem,  too.  To  help  you  out, 
we’ve  compiled  the  hottest  tips  on 
topics  such  as  identity  manage¬ 
ment,  insider  abuse  and  instant 
messaging.  Stories  begin  on  page  23. 


ONUNE  EXCLUSIVE 


Is  your  company  secure?  Take  our  quiz  to  find  out: 

OQuickLink  a3430 
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Rapid-Reporting  Mandate 
Adds  tl  CompHance  Woes 


Companies  need  systems  overhauls  to  meet 
Sarbanes-Oxley’s  ‘material  events’  requirement 


BY  THOMAS  HOFFMAN 

Most  companies  that  have  tak¬ 
en  steps  to  comply  with  the 
Sarbanes-Oxley  Act  have  fo¬ 
cused  their  energies  on  Sec¬ 
tion  404,  a  provision  that  re¬ 
quires  businesses  to  document 
their  financial-reporting  con¬ 
trols  and  procedures. 

But  most  IT  managers  have 
yet  to  tackle  a  potentially 
more  onerous  requirement: 
Section  409,  which  calls  for 
companies  to  deliver  timely 
reports  to  investors  and  other 
stakeholders  on  any  “material 


SECTION  409  COMPLIANCE 


What  You  Should  Do 

■  Set  up  systems  to  automatical¬ 
ly  notify  all  key  constituents,  in¬ 
cluding  senior  executives,  board 
members  and  investor-relations 
managers,  of  material  events. 

■  For  IT  projects  in  particular, 

make  sure  your  project  manage¬ 
ment  and  accounting  processes 
are  intertwined  so  cost  overruns 
can  be  quickly  identified. _ 

■  Work  with  the  finance  and 
audit  departments  to  develop  a 
framework  for  financial  reporting 
and  documentation  procedures. 


Feds  Ponder  MCl’s  Future 


Despite  settlement, 
carrier  could  lose 
government  contracts 

BY  DAN  VERTON 

WorldCom  Inc.  may  have 
overcome  its  problems  with 
the  Securities  and  Exchange 
Commission,  but  its  political 
battles  on  Capitol  Hill 
and  throughout  the 
halls  of  government 
are  just  beginning. 

A  U.S.  District  Court  last 
week  approved  the  SEC’s 
amended  proposed  settlement 
with  the  telecommunications 
carrier,  which  is  now  doing 
business  under  its  MCI  brand. 
The  settlement  allows  a  civil 
penalty  of  $2.25  billion  to  be 
satisfied  by  a  much  smaller 
payment  to  shareholders  and 
bondholders  of  $500  million  in 
cash  and  $250  million  in  com¬ 
mon  stock  upon  emergence 


from  Chapter  11  protection. 

But  a  key  issue  that  hasn’t 
been  resolved  is  whether 
MCI  should  be  suspended  or 
barred  from  holding  govern¬ 
ment  contracts.  The  Senate  Ju¬ 
diciary  Committee  tomorrow 
will  hold  a  hearing  on  the  is¬ 
sue  as  part  of  a  broader  inves¬ 
tigation  into  the  ramifications 
of  MCI’s  bankruptcy. 

MCI  has  enough 
votes  in  the  House 
Appropriations  Com¬ 
mittee  to  block  an  effort  being 
pushed  by  rivals  AT&T  Corp. 
and  Verizon  Communications 
that  would  bar  any  extension 
of  MCI  government  contracts 
MCI  Contracts,  page  53 
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events”  that  could  affect  the 
companies’  finances  or  busi¬ 
ness  operations. 

That  mandate,  which  the 
U.S.  Securities  and  Exchange 
Commission  is  expected  to 
start  enforcing  by  2005,  could 
leave  businesses  with  no 
choice  but  to  make  sweeping 
changes  to  their  IT  infrastruc¬ 
tures  in  order  to  provide  auto¬ 
mated  reporting  capabilities 
that  function  at  close-to-real- 
time  speeds,  CIOs  and  ana¬ 
lysts  said  last  week. 

“There’s  a  huge  data  and  in¬ 
formation  infrastructure  issue 
there  that  has  to  be  tuned  to 
respond  to  events  —  and  most 
companies  don’t  have  these 
capabilities  in  place,”  said 
John  Hagerty,  an  analyst  at 

Sarbanes,  page  14 


Businesses 
See  Wi-Fi  as 
Potential  Lure 

Restaurants,  hotels 
wooing  customers 
with  wireless  access 

BY  BOB  BREWIN 

As  public-access  Wi-Fi  “hot 
spots”  percolate  out  of  coffee 
shops  and  into  the  wider 
world  of  hotels,  fast-food 
chains  and  other  locations, 
many  companies  are  starting 
to  view  the  wireless  technolo¬ 
gy  as  an  essential  amenity  for 
attracting  customers. 

But  what’s  still  unclear  is 
how  much  businesses  can 
charge  customers  to  use  the 

Wi-Fi,  page  16 
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The  secret  to  a  secure  enterprise  lies  in  not  just  monitoring  the  parts,  but  managing  it  as, 
a  whole.  That's  exactly  what  eTrust1"  lets  you  do.  In  fact,  our  eTrust  Security  Command  Center 
is  the  perfect  solution  to  security  information  overload.  It  gives  you  the  big  picture  from  a  single 
vantage  point,  with  all  your  event  information  prioritized.  So  you  can  identify  actual  internal, 
and  external  threats  before  they  can  wreak  havoc.  Anything  less  would  be,  well,  alarming. 
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SAS  is  all  you  need  to  know. 

Only  SAS  provides  a  high-impact,  low-risk  way 
to  achieve  intelligent  data  warehousing.  You  can 
extract,  transform  and  load  data  from  any  source, 
across  any  platform,  while  assuring  quality. 
Simplify  the  way  you  create  and  customize  reports. 
And  deliver  a  shared  version  of  the  truth.  To  find  out 
how  top  companies  reap  bottom-line  rewards  with 
SAS  software — by  leveraging  the  value  of  data 
from  corporate  systems,  e-business  channels,  the 
supply  chain  and  beyond — visit  us  on  the  Web  or  call 
toll  free  1  866  270  5727. 

www.sas.com/warehouse 


The  Power  to  Know, 


a  ath.  -  SAS  Institute  Inc.  product  or  service  names  are  registered  trademarks  or  trademarks  ot  SAS  Institute  Inc.  in  the  USA  and  other  countries.  ®  indicates  USA  registration.  O  2002  SAS  Institute  Inc.  AM  rights  reserved.  21232 4US.1102 
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65  Tips  From  Security  Pros 

It’s  a  risky  world  out  there.  So  we’re 

providing  scores  of  tips  from  IT 

security  pros  to  help  you 
protect  your  corporate  assets. 

PACKAGE  BEGINS  ON  PAGE  23. 

26  The  Story  So  Far.  A  quick  tour  through  the  histo¬ 
ry  of  IT  security,  including  computer  viruses, 
antivirus  software  and  government  efforts  to  deal 
with  virus  outbreaks. 

30  Know  Thy  Users.  With  the 
proper  identity  management 
system,  you  can  save  money, 
make  users  happy  and  improve 
IT  security.  Users  like  Ann 
Garrett  (left),  chief  informa¬ 
tion  security  officer  for  the 
state  of  North  Carolina,  offer  strategies  for  mak¬ 
ing  the  right  choices. 

32  Opinion:  Common  names  can  create  false  posi¬ 
tives  in  databases.  In  our  post-9/11  world,  that 
makes  columnist  Mark  Hall  a  little  nervous. 


34  Evaluate  Outsourcing  Partners.  The  rules 
of  outsourcing  still  apply  when  working 
with  managed  security  service  providers. 
But  specific  safeguards  will  help  ensure 
the  quality  of  security  coverage. 

36  Strengthen  Security  During  Mergers. 

With  merger  and  acquisition  activity  on 
the  rise,  managers  need  to  know  how  to 
protect  their  company’s  assets  and  bol¬ 
ster  security  at  the  combined  business. 


ConocoPhillips’ 
Bobby  Gillham  (left) 
and  other  experts 
offer  suggestions. 


38  Thwart  Insider  Abuse.  Hackers  get  the  media  at¬ 
tention,  but  security  pros  know  that  the  biggest 
threat  comes  from  within.  Here  are  recommenda¬ 
tions  to  guard  against  insider  abuse. 

39  Protect  Privacy,  Step  by  Step.  State,  federal  and 
international  laws  are  making  data  privacy  man¬ 
agement  a  hot  issue.  Here  are  some  tips  for  man¬ 
aging  a  privacy  policy. 

40  Plug  IM’s  Security  Gaps.  With  25  million  business 
users,  instant  messaging  is  the  security  problem 
you  can’t  ignore.  ONLINE:  Companies  share  more 
of  their  tips  for  locking  down  instant  messaging. 
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41  Careers:  Security  experts 
like  Jim  Wade  (right)  of 
KeyCorp  say  information 
security  specialists  have  it 
a  little  better  than  other  IT 
pros  in  today’s  job  market 
—  but  not  by  much. 

42  The  Almanac:  Secondhand 
computers  rarely  have  san¬ 
itized  hard  drives,  and  spy- 

ware  is  lurking  in  your  PC.  These  items  are  among 
the  tidbits  in  this  month’s  collection. 


44  QuickStudy:  A  buffer  overflow  is 
the  computer  equivalent  of  pouring  a  gal¬ 
lon  of  water  into  a  pint-size  pot.  Those  ex¬ 
cess  data  bits  can  overwrite  and  destroy 
information. 

46  The  Next  Chapter:  We  asked  experts  to 
identify  future  IT  security  risks.  They 
warned  us  about  stolen  fingerprint  scans, 
Web  services,  “digital  dimwits”  and  light¬ 
ning-fast  Internet  attacks. 
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Thwarting  Attacks  on  Apache 
Servers.  In  this  book  excerpt,  a 
hacker  explains  how  intruders 
can  gain  access  to  your  system 
—  and  what  you  can  do  to  stop 
them.  9  QuickLink  39583 

Social  Engineering:  A  Matter  of 
Trust.  Securing  a  network  isn’t 
just  the  job  of  the  “tech  peo¬ 
ple,”  says  columnist  Douglas 
Schweitzer.  9  QuickLink  39213 


Tips  for  Securing  Windows. 

Patches,  service  packs,  hot  fixes 
and  quick  fixes  —  when  should 
you  install  them,  and  when 
might  they  make  things  worse? 
Spirian’s  CTO  offers  advice. 

9  QuickLink  39506 

What’s  Inside  a  Hacker’s  Tool¬ 
box.  Hackers  have  access  to 
knowledge  about  802.11  — 
wouldn’t  you  like  to  know  what 


they  know?  AirDefense  Inc.’s 
Brian  Moran  takes  a  tour  of  a 
hacker’s  toolbox. 

9  QuickLink  *9753 

Password  Secrets.  Writing 
passwords  in  creative  ways  can 
make  them  easy  to  remember 
but  difficult  for  anyone  else  to 
guess,  writes  columnist  Peter 
H.  Gregory. 
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Sun  Confirms  Unix 
Deal  With  SCO . . . 

Sun  Microsystems  Inc.  confirmed 
that  it  has  signed  an  expanded 
Unix  technology  licensing  deal 
with  The  SCO  Group  Inc.,  which 
earlier  this  year  filed  suit  against 
IBM  for  allegedly  incorporating 
patented  Unix  code  into  Linux. 
Sun  and  Lindon,  Utah-based  SCO 
finalized  the  wider  agreement  in 
February,  but  SCO  kept  Sun’s 
identity  a  secret  until  last  week. 


. . .  And  Offers  HP 
Migration  Program 

In  other  Sun  news,  the  company 
said  it  plans  to  announce  next 
week  a  server  migration  pro¬ 
gram  aimed  at  users  of  Hewlett- 
Packard  Co.’s  Tru64  Unix  oper¬ 
ating  system.  The  HP  Away  of¬ 
fering  will  include  discounts 
aimed  at  enticing  users  running 
Tru64  Unix  on  Alpha-based 
servers  to  switch  to  Sun  sys¬ 
tems.  Sun  already  has  a  similar 
program,  called  Blue  Away,  for 
IBM  mainframe  users. 


Peregrine  Creditors 
Agree  on  Revamp 

Peregrine  Systems  Inc.,  a  San 
Diego-based  vendor  of  asset 
management  software,  said  it 
has  reached  agreement  with  its 
creditors  and  shareholders  on  a 
financial  reorganization  plan. 
Peregrine,  which  had  to  amend 
its  original  plan  after  some  credi¬ 
tors  balked  at  the  provisions, 
now  hopes  to  emerge  from  Chap¬ 
ter  11  bankruptcy  next  month. 


Oracle  Readying 
Database  Upgrade 

Oracle  Corp.  said  it’s  beta-testing 
a  database  upgrade  and  plans  to 
announce  the  software  in  Sep¬ 
tember  at  its  OracleWorld  confer¬ 
ence  in  San  Francisco.  The  new 
version,  which  is  being  referred 
to  as  OracielOi  for  now,  will  in¬ 
clude  new  database  management 
features,  expanded  clustering  ca¬ 
pabilities  and  added  support  for 
XML  and  Web  services. 


PeopleSoft  Users  Fear 
Forced  Database  Move 

Doubts  linger,  despite  Oracle’s  promise 
that  it  won’t  require  use  of  its  software 


BY  MARC  L.  SONGINI 

ome  peoplesoft  users 
last  week  said  they  fear 
that  in  addition  to  put¬ 
ting  their  business  ap¬ 
plication  investments  at  risk, 
Oracle  Corp.’s  $6.3  billion  bid 
to  buy  PeopleSoft  Inc.  could 
force  them  to  migrate  to  Ora¬ 
cle’s  database. 

Oracle  supports  its  own 
E-Business  Suite  applications 
only  on  its  namesake  databas¬ 
es.  But  an  Oracle  spokes¬ 
woman  said  that  the  company 
wouldn’t  force  PeopleSoft 
users  who  rely  on  rival  data¬ 
bases  such  as  DB2  or  SQL 
Server  to  switch  technologies 
and  that  all  existing  People- 
Soft  applications  would  be 
supported  for  at  least  10  years. 

Nevertheless,  several  cus¬ 
tomers  of  Pleasanton,  Calif.- 
based  PeopleSoft  and  Denver- 
based  J.D.  Edwards  &  Co.  — 
which  PeopleSoft  is  expected 
to  acquire  under  a  deal  an¬ 
nounced  last  month  —  said 
they’re  worried  that  they  will 
have  to  rip  out  IBM  or  Micro¬ 
soft  Corp.  databases  if  Oracle’s 
takeover  bid  succeeds. 

“I  have  not  been  reassured 
by  [Oracle],”  said  Ben  Wilson, 
head  of  IT  services  for  the 
government  of  Napa  County 
in  California.  “We’re  con¬ 
vinced  they  want  us  to  switch 
to  the  Oracle  database  in  the 
future,  and  that  would  be  an 
expensive  proposition  to  us.” 

Costly  Migrations 

Napa  County  now  uses  Micro¬ 
soft’s  SQL  Server  2000  data¬ 
base  to  support  its  PeopleSoft- 
based  ERP  system.  Wilson 
said  he  plans  to  stick  with  the 
applications  beyond  the  cur¬ 
rent  version,  PeopleSoft  8. 
Being  forced  to  move  to  an 
Oracle  database  would  cost 
the  county  tens  of  thousands 
of  dollars  more  for  software  li¬ 
censes  than  it  spends  now  and 


would  require  that  its  data¬ 
base  administrators  be  re¬ 
trained,  he  said. 

“We  are  most  concerned 
about  possibly  being  forced  to 
the  Oracle  database,”  said  Bill 
Monroe,  chief  operating  offi¬ 
cer  at  the  Texas  Education 
Agency  in  Austin,  which  runs 
PeopleSoft  applications  that 
are  supported  by  Microsoft 
and  Sybase  Inc.  databases.  A 
changeover  would  be  disrup¬ 
tive  and  expensive,  he  said. 

Oracle’s  promise  to  let  users 
keep  their  current  databases 
appears  to  contradict  the  posi¬ 
tion  the  company  took  when  it 


Company  uses 
scalability  bait  to 
lure  Sun  defectors 

BY  CAROL  SLIWA 

IBM  announced  last  week  that 
its  WebSphere  Application 
Server  for  the  first  time  will 
run  on  Linux  on  its  pSeries 
and  iSeries  hardware  with  its 
Power4  microprocessor. 

WebSphere  already  ran  on 
IBM’s  Linux-based  xSeries 
servers  with  Intel  Corp.  proc¬ 
essors  at  the  low  end  and  on 
its  zSeries  mainframe  at  the 
high  end.  Now  it  will  also  be 
supported  on  Linux-based 


announced  its  takeover  bid  in 
early  June,  said  Peg  Nicholson, 
president  of  the  PeopleSoft  In¬ 
ternational  Customer  Adviso¬ 
ry  Board  and  CIO  at  Acushnet 
Co.,  a  maker  of  golf  equipment 
in  Fairhaven,  Mass. 

But  if  Oracle  were  to  force 
a  migration,  “a  ton  of  work” 
would  be  needed  to  convert 
Acushnet’s  data  from  SQL 
Server  to  an  Oracle  database 
format  and  retrain  its  IT  staff, 
Nicholson  said.  “We  have  far 
better  things  to  do  with  our 
time  and  money  —  projects 
which  will  bring  a  business  re¬ 
turn  on  our  investment,”  she 
added.  “This  will  bring  nothing 
but  aggravation  and  expense.” 

Having  to  change  databases 
“would  be  unacceptable  to  most 


midrange  servers  that  tradi¬ 
tionally  have  run  the  Unix  op¬ 
erating  system,  said  Bob  Sutor, 
director  of  WebSphere  infra¬ 
structure  software  at  IBM. 
“IBM  continues  its  commit¬ 
ment  to  Linux  on  our  strategic 
hardware,”  he  said,  “and  we’re 
continuing  to  put  our  commit¬ 
ment  on  our  strategic  software 
as  well.” 

Sutor  noted  that  Microsoft 
Corp.’s  Windows  servers  run 
only  on  Intel  processors  and 
added  that  Sun  Microsystems 
Inc.  “has  relegated  Linux  to  the 
lowest  end,”  supporting  the 
open-source  Unix  derivative 
on  Intel-based  servers  rather 


Status  Report 

ORACLE 

Its  tender  offer  for  PeopleSoft's 
stock  has  been  extended  to 
July  18.  As  of  July  3,  about  11%  of 
PeopleSoft's  316.6  million  shares 
had  been  tendered  to  Oracle. 

PEOPLESOFT 

The  Justice  Department  today 
is  expected  to  announce  whether 
it  is  satisfied  that  there  are  no 
antitrust  concerns  regarding 
the  company's  planned  merger 
with  J.D.  Edwards. 


customers,”  said  Joshua  Green- 
baum,  an  analyst  at  Enterprise 
Applications  Consulting  in 
Daly  City,  Calif.  “No  one  should 
be  forced  into  anything,  and  I 
doubt  Oracle  would  be  foolish 
enough  to  try.”  I 


ELLISON'S  VIEW 

Oracle’s  CEO  says  he'll  continue  his  efforts 
to  buy  PeopleSoft  into  next  year  if  need  be: 

QuickLink  39770 
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than  on  its  Sparc  processors. 

“In  the  Sun  Sparc  environ¬ 
ment,  you  can  only  go  so  far 
up  with  Linux  before  Sun 
shifts  you  over  to  Solaris,”  said 
Dwight  Davis,  an  analyst  at 
Summit  Strategies  Inc.  in 
Boston.  “So  this  is  in  large  part 
an  attack  on  Sun,  trying  to 
draw  people  from  the  Sun 
platform  to  the  IBM  platform 
by  offering  them  a  more  scal¬ 
able  growth  path  with  Linux 
as  the  foundation.” 

Davis  said  most  users  will 
base  their  decisions  on  the 
whole  IBM  offering  and  an  as¬ 
sessment  of  WebSphere.  He 
said  developers  don’t  write  to 
Linux  directly,  but  rather  to 
the  J2EE  platform,  which,  in 
IBM’s  case,  is  WebSphere. 

“Obviously,  people  do  care 
about  the  underlying  hard¬ 
ware  and  the  performance 
profile  of  the  microproces¬ 
sors,”  Davis  said.  “But  I  don’t 
think  many  people  are  making 
decisions  based  solely  on 
whether  it’s  a  Sparc  chip,  an 
Itanium  chip,  a  Power  chip. 
They’re  really  looking  at  the 
entire  package.”  I 


NEW  PRODUCTS 


WebSphere  5.02  for  Linux/Power4-based 
pSeries  and  iSeries  servers 


IBM  Expands  Linux  Support  in  WebSphere 
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Insurance  Portability  and  Ac- 

New  language  goes  beyond  compliance 


BY  JAIKUMAR  VIJAYAN 

A  new  programming  language 
announced  by  IBM  last  week 
promises  to  help  companies 
automate  the  enforcement  of 
corporate  privacy  policies. 

IBM’s  XML-based  Enter¬ 
prise  Privacy  Authorization 
Language  (EPAL)  can  be  used 
to  build  privacy-related  rules 
and  conditions,  said  Steve 
Adler,  an  IBM  marketing  man¬ 
ager.  For  instance,  privacy 
policies  could  be  written  and 
attached  to  each  record  in  a 
customer  database.  The  poli¬ 
cies  then  travel  wherever  the 
data  goes  and  can  be  used  to 
control  the  manner  in  which 
the  data  is  accessed  and  used. 

EPAL  builds  on  the  World 
Wide  Web  Consortium’s  Plat¬ 
form  for  Privacy  Preferences 
Protocol  (P3P),  Adler  said. 

P3P  allows  privacy  prefer¬ 
ences  that  are  expressed  in 
plain  text  to  be  turned  into  a 
digital  or  machine-readable 
code.  It’s  used  widely  in 
browsers  to  accept  or  block  a 
Web  site’s  request  for  infor¬ 
mation  based  on  a  user’s  pri¬ 
vacy  preferences. 

P3P  Comparison 

But  P3P  doesn’t  allow  devel¬ 
opers  to  set  conditions  or  give 
them  a  way  to  express  nega¬ 
tive  rules  —  telling  what  a 
user  can’t  do,  for  instance, 
Adler  said.  In  contrast,  “EPAL 
provides  this  positive  and  neg¬ 
ative  language  that  allows  you 
to  articulate  what  people  are 
allowed  to  do  or  not  allowed 
to  do  with  data,”  he  said. 

“Its  much  more  robust  than 
P3P  because  it  gives  you  a  way 
to  prevent  data  from  being 
used  in  a  [noncompliant]  man¬ 
ner,”  said  Larry  Ponemon, 
director  of  the  Ponemon  Insti¬ 
tute,  a  privacy  think  tank 
based  in  Tucson,  Ariz. 

“EPAL  allows  companies  to 
use  language  that  not  only  can 
describe  an  activity  but  also 
help  enforce  that  activity,” 
said  Scott  Shipman,  privacy 
counsel  at  eBay  Inc.  “To  date, 
no  language  has  supported 
that  second  component.” 


EBay  is  a  member  of  IBM’s 
Privacy  Management  Adviso¬ 
ry  Council,  which  has  evalu¬ 
ated  the  new  language.  The 
25-member  group  also  in¬ 
cludes  companies  such  as 
Marriott  International  Inc. 
and  Fidelity  Investments. 

It’s  too  early  to  say  whether 
companies  will  need  to  make 
changes  in  their  existing  appli¬ 
cations  to  take  advantage  of  an 
EPAL  environment,  Shipman 
said.  That  will  become  clearer 
only  as  more  tools  become 
available  for  EPAL,  he  noted. 

IBM’s  own  approach  has 
been  to  use  what  it  calls  “mon¬ 
itors”  for  linking  new  and  ex¬ 


isting  applications  to  its  Tivoli 
privacy  management  software. 
The  approach  allows  develop¬ 
ers  to  build  privacy  rules  and 
audit  reporting  into  applica¬ 
tions  without  having  to  hard- 
code  changes. 

EPAL  will  allow  companies 
to  set  and  enforce  far  more 
specific  rules  related  to  the 
manner  in  which  data  is  ac¬ 
cessed  and  shared,  said  Fred 
Cohen,  an  analyst  at  Burton 
Group  in  Midvale,  Utah. 

The  downside  is  that  the 
more  rules  a  company  builds 
around  its  data  with  EPAL,  the 
more  complex  the  environ¬ 
ment  is  likely  to  get,  he  added. 

“Its  one  thing  to  have  a  sys¬ 
tem  with  five  or  six  rules.  But 


to  express  something  like 
HIPAA  compliance  may  take 
thousands  of  rules,”  Cohen 
said,  referring  to  the  Health 


NEW  PRODUCTS 

IBM’s  Privacy 
Management  Tools 

■  Reference  Monitor  for 
Tivoli  Privacy  Manager 

Declarative  Privacy 
Monitoring  for  Tivoli 
Privacy  Manager 

The  monitors  link  new  and 
existing  applications  to  privacy 
management  software,  elimi¬ 
nating  the  need  to  hard-code 
privacy  functions  into  each 
application. 


countability  Act.  “There  are 
all  sorts  of  things  that  could 
go  wrong.” 

IBM’s  EPAL  announcement 
builds  on  the  company’s 
emerging  privacy  manage¬ 
ment  initiative.  Since  last  fall, 
IBM  has  been  selling  a  PSP- 
based  technology  called 
Tivoli  Privacy  Manager  that’s 
aimed  at  helping  companies 
comply  with  privacy  rules. 
The  technology  allows  com¬ 
panies  to  take  a  written  priva¬ 
cy  policy  and  convert  it  into 
digital  form,  deploy  the  policy 
to  specific  IT  systems  and  ap¬ 
plications,  and  then  monitor 
access  to  data  in  accordance 
with  the  policy.  EPAL  is  the 
language  through  which  auto¬ 
matic  enforcement  can  take 
place.  ► 


EMC  to  Buy  Legato  as  Part 
Of  Storage  Software  Push 


Its  latest  acquisition 
continues  plan  to 
diversify  revenue 

BY  LUCAS  MEARIAN 

EMC  Corp.  last  week  an¬ 
nounced  a  planned  acquisition 
of  storage  software  vendor 
Legato  Systems  Inc.  that’s  in¬ 
tended  to  boost  its  presence  in 
the  data  backup  market  and 
help  it  offer  an  integrated  set 
of  tools  for  managing  the  en¬ 
tire  life  cycle  of  information. 

EMC  CEO  Joe  Tucci  said 
the  addition  of  Mountain 


Recent  Acquisitions 


SEPTEMBER  2002:  EMC  ac¬ 
quires  Prisa  Networks  Inc.,  a 
San  Diego-based  vendor  of  soft¬ 
ware  for  managing  small  and 
midsize  storage-area  networks. 

APRIL  2003:  The  company 
buys  Astrum  Software  Corp.,  a 
Boston-based  developer  of  stor¬ 
age  resource  management  soft¬ 
ware  for  midrange  applications. 

JULY  2003:  EMC  purchases  the 
rights  to  BMC’s  Patrol  Storage 
Manager  technology,  which 
monitors  and  reports  on  usage 
of  storage  systems. 


View,  Calif.-based  Legato 
through  a  stock-swap  deal  val¬ 
ued  at  $1.3  billion  will  push 
EMC  closer  to  his  goal  of  get¬ 
ting  30%  of  its  revenue  from 
software  sales.  Storage  man¬ 
agement  software  currently 
accounts  for  23%  of  EMC’s 
business,  which  is  still  domi¬ 
nated  by  its  disk  arrays. 

But  EMC  will  have  to  re¬ 
assure  Legato  users  like  David 
Scott,  a  systems  administrator 
at  Butler  Machinery  Co.  in 
Fargo,  N.D.  Scott  uses  three  of 
Legato’s  backup  products  and 
said  he’s  concerned  that  sup¬ 
port  for  those  applications 
may  diminish  after  the  buyout. 

“I’m  always  worried  about 
support,”  Scott  said.  “When 
you  do  have  [product]  issues, 
you  want  to  be  up  and  running 
as  quick  as  possible.” 

Jamie  Gruener,  an  analyst  at 
The  Yankee  Group  in  Boston, 
said  the  planned  acquisition 
will  also  put  Legato  at  risk  of 
losing  its  hardware  neutrality. 
But,  he  added,  EMC  users 
stand  to  benefit  from  having  a 
broader  suite  of  storage  man¬ 
agement  software  sold  and 
supported  by  the  company. 

That  may  not  be  enough  to 
convince  Visa  International 


Inc.  to  adopt  EMC’s  backup 
software,  even  though  the  Fos¬ 
ter  City,  Calif.-based  credit 
card  company  has  many  EMC 
disk  arrays  on  its  150TB  stor¬ 
age-area  network. 

Scott  Thompson,  executive 
vice  president  of  Visa’s  tech¬ 
nology  group,  said  he  isn’t 
likely  to  move  away  from  Veri¬ 
tas  Software  Corp.’s  NetBack- 
up  tool  in  the  foreseeable  fu¬ 
ture  because  he  trusts  the 
market-leading  technology. 

The  Legato  deal  is  due  to  be 
completed  in  the 
fourth  quarter. 

Tucci  said  Legato 
will  become  a  divi¬ 
sion  of  Hopkinton, 
Mass.-based  EMC 
and  will  continue 
to  be  led  by  David 
Wright,  Legato’s 
chairman  and  CEO.  However, 
its  developers  will  move  to 
EMC’s  open-software  devel¬ 
opment  division. 

Legato  shares  many  cus¬ 
tomers  and  channel  partners 
with  EMC,  Wright  said.  “We 
suffer  from  one  thing,  and 
that’s  lack  of  resources,”  he 
said,  adding  that  Legato  hasn’t 
been  able  to  push  sales  to  a 
higher  level  on  its  own.  The 
company  has  been  in  the  red 
for  14  straight  quarters,  and  it 
lost  $2.6  million  on  revenue  of 
$74  million  in  this  year’s  first 
quarter. 


SUN’S  SAN  PLAN 

Sun  Microsystems  last  week 
announced  a  strategy  for 
managing  multivendor  SANs 
but  was  short  on  details: 
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The  Legato  deal  was  an¬ 
nounced  just  one  week  after 
EMC  said  it  had  bought  Hous¬ 
ton-based  BMC  Software  Inc.’s 
discontinued  Patrol  Storage 
Manager  technology.  Legato 
will  become  the  10th  storage 
software  vendor  that  EMC  has 
acquired  outright  since  2000 
as  part  of  its  strategy  to  reduce 
its  reliance  on  hardware  sales. 

Tucci  said  he  would  outline 
plans  to  integrate  EMC’s  own 
backup  and  recovery  software, 
EMC  Data  Manager  (EDM), 
with  Legato’s  flag¬ 
ship  NetWorker 
product  at  a  brief¬ 
ing  scheduled  for 
Aug.  6  in  New 
York.  Current 
EDM  users  will  re- 
_ ceive  a  free  up¬ 
grade  to  the  inte¬ 
grated  product,  he  said. 

EMC  held  2%  of  the  market 
for  backup  and  recovery  soft¬ 
ware  last  year,  while  Legato 
had  an  8.1%  share,  according 
to  Gartner  Inc.  in  Stamford, 
Conn.  Veritas  was  by  far  the 
top  vendor,  with  a  47%  market 
share,  followed  by  IBM’s 
Tivoli  Software  unit  at  16.6%. 

Legato  will  add  about  1,500 
employees  to  EMC’s  work¬ 
force  of  17,200.  Tucci  said 
there  would  be  some  consoli¬ 
dation  moves,  but  he  added 
that  the  deal  won’t  be  “made 
or  broken  on  the  cost  side.”  I 


Microsoft  Revamps 
Stock  Awards  Plan 

Microsoft  Corp.  said  “a  signifi¬ 
cant  portion”  of  the  stock-based 
compensation  awarded  to  more 
than  600  of  its  top  managers 
will  now  be  based  on  improve¬ 
ments  in  customer-satisfaction 
rates  as  well  as  growth  of  the 
company’s  user  base.  The  new 
approach  is  part  of  a  plan  under 
which  Microsoft  will  give  em¬ 
ployees  actual  shares  of  its  stock 
instead  of  stock  options. 


Patches  Issued  for 
New  Windows  Hole 

In  other  Microsoft  news,  the 
company  issued  patches  for  a 
security  hole  that  affects  all  sup¬ 
ported  versions  of  Windows  and 
could  be  used  by  attackers  to  run 
malicious  code  on  unprotected 
systems.  The  problem  involves  a 
buffer-overrun  vulnerability  in  an 
HTML  converter  component  built 
into  Windows.  Microsoft  gave 
the  flaw  a  “critical”  severity  rat¬ 
ing  on  all  releases  except  for 
Windows  Server  2003. 


Dell  Offers  PC 
Security  Service 

Dell  Computer  Corp.  announced 
an  optional  service  under  which 
it  will  implement  security  bench¬ 
marks  developed  by  the  Bethes- 
da,  Md.-based  Center  for  Inter¬ 
net  Security  on  the  PCs  it  sells. 
Dell  will  activate  more  than  50 
security  settings  in  Windows 
2000  for  users  who  sign  up.  A 
similar  offering  will  be  added  for 
Windows  XP  later  this  year,  the 
company  said. 


Short  Takes 

ORACLE  CORP.  said  it  plans  to 
more  than  double  the  number 
of  software  developers  and 
customer  service  workers  it 
has  in  India,  to  6,000-plus 

employees _ New  York-based 

INFORMATION  BUILDERS  INC. 
released  a  mainframe  Linux  ver¬ 
sion  of  its  WebFocus  business- 
Inteiligence  software. 


MARK  HALL  ■  ON  THE  MARK 

Open-Source  Spells 
Doom  for  Oracle,  DB2 . . . 

. . .  Sybase  and  other  general-purpose  databases,  predicts  Tim  O’Reilly. 
“MySQL  might  do  to  databases  what  Apache  did  for  Web  serving,” 
says  the  president  of  technical  book  publisher  and  conference  orga¬ 
nizer  O’Reilly  &  Associates  Inc.  in  Sebastopol,  Calif.  Apache,  he 
claims,  has  forced  Microsoft  Corp.  to  make  its  IIS  Web  server  software 
“effectively  free  in  bundles.”  David  Axmark,  co-founder  and  “open  sor¬ 
cerer”  at  Uppsala,  Sweden-based  MySQL  AB,  the  developers  of  the 
open-source  database,  cautions  that  you  won’t  see  Larry  Ellison  approving 


free  deals  for  0racle9i  in  the  near  future, 
if  ever.  Still,  he  says,  “MySQL  has  already 
forced  prices  down  in  databases.”  And 
the  price  pressure  will  pick  up  steam  with 
the  release  of  MySQL  Enterprise  in  two 
years.  ■  MySQL  gets  another  small  boost 
next  month  when  Pogo  Linux  Inc.,  a  sup¬ 
plier  of  preconfigured  Linux  servers  and 
workstations,  ships  its  first  database  ap¬ 
pliance,  the  Dataware  2600,  at  Linux- 
World  in  San  Francisco. 

The  Redmond,  Wash.- 
based  company  is  MySQL’s 
first  hardware  partner,  and 
it’s  just  a  start-up.  Still, 
the  relentless  open-source 
drumbeat  pounding  in  the 
heads  of  operating  system 
vendors  is  beginning  to  be 
heard  by  the  database  gi¬ 
ants,  too.  ■  One  of  the  more 
intriguing  new  products  you’ll 
encounter  this  summer 
is  from  Procom  Technol¬ 
ogy  Inc.  in  Irvine,  Calif. 

William  Long,  vice  presi¬ 
dent  of  product  planning 
and  development,  assures 


everyone  that  the  product,  called  Taurus, 
is  neither  a  Ford  nor  an  astrological  sign, 
but  rather  a  “bridge  product”  for  wireless 
networks  and  network-attached  storage. 
You  probably  didn’t  even  know  that 
bridge  needed  crossing,  but  the  Taurus, 
which  is  being  unveiled  today,  serves  as 
both  a  wireless  access  point  and  a  data 
storage  appliance.  The  Linux-based  de¬ 
vice  offers  a  600-ft.  line-of-sight  access 

range  from  clients  and  has 
a  simple  LCD  display  for 
set  up  and  troubleshoot¬ 
ing.  Long  claims  that  the 
small  device  (about  the 
size  of  the  latest  Harry  Potter 
novel)  will  start  cropping 
up  in  public  wireless  hot 
spots  because  it’s  easy  to 
install  and  inexpensive. 
And  since  it  has  up  to 
250GB  of  local  storage,  it 
lets  users  publish  gobs  of 
information  to  the  Web.  A 
40GB  unit  starts  at  $1,699. 
■  Still  have  some  pesky  Mac¬ 
intoshes  in  your  company? 
Well,  starting  tomorrow, 


you  can  back  them  up  with  Retrospect  5.1 
for  the  Macintosh  from  Dantz  Develop¬ 
ment  Corp.  in  Orinda,  Calif.  The  upgrade 
adds  Red  Hat  Linux  client  support  (it  al¬ 
ready  supported  Windows  clients)  and 
a  nifty  disaster  recovery  CD  that  lets  you 
boot  dead-in-the-water  Macs  and  recover 
your  data  using  a  single  disc.  ■  Web  ser¬ 
vices  can  clog  your  network  with  extra  over¬ 
head,  so  you  need  to  test  those  applica¬ 
tions  stringently,  advises  CIO  Michael 
Stoeckert  of  EPL  Inc.,  a  Birmingham, 
Ala.-based  IT  services  firm  for  banks 
and  credit  unions.  He  says  EPL  has  a  new 
application  for  processing  check  orders 
its  customers  place  with  check  printers, 
a  service  it  couldn’t  offer  until  the  ad¬ 
vent  of  XML,  SOAP  and  other  Web  ser¬ 
vices  protocols.  Stoeckert  uses  LoadRun- 
ner,  a  network  test  tool  from  Mercury 
Interactive  Corp.  in  Sunnyvale,  Calif. 

He  also  runs  Mercury’s  SiteScope  to 
track  the  services-based  application 
as  its  packets  trek  to  and  fro  because 
“latency  can  be  a  problem”  when  you 
are  dealing  with  machines  outside  your 
own  data  center.  Stoeckert  isn’t  overly 
concerned  about  security  for  the  applica¬ 
tion  because  “it  was  not  architected  as 
a  Web  service  for  a  B2C  model.  We’re 
in  the  B2B  world.”  A  much  safer  place. 

■  A  B2B  operation  of  a  different  sort 
is  being  run  by  Geekcorps,  a  North 
Adams,  Mass.-based  volunteer  organiza¬ 
tion  that  seeks  technology  experts  who 
are  willing  to  help  businesses  in  develop¬ 
ing  countries  design,  deploy  and  run 
information  technologies.  So  far,  more 
than  1,500  volunteers  have  contributed 
their  know-how  in  places  like  Bulgaria, 
Ghana,  Jordan  and  Mongolia.  The  usual 
stint  takes  three  to  four  months.  Geek¬ 
corps  staffers  say  many  IT  pros  sign 
on  while  between  jobs.  So,  while  you’re 
waiting  for  the  recession  to  end  and  work 
to  begin,  you  can  give  a  little  back  to 
the  planet.  I 


Cool  Security 


Articsoft  Ltd.  this  week  will 
release  its  FileAssurity 
OpenPGP.  The  London-based 
company  says  the  $39  pack¬ 
age  encrypts  and  decrypts 
PGP-protected  files  and  gen¬ 
erates,  imports  and  exports 
PGP  keys.  FileAssurity  Open¬ 
PGP  works  with  any  other 
OpenPGP-compliant  soft¬ 
ware  and  uses  the  U.S.  gov¬ 
ernment-approved  FIPS  197 
encryption  algorithm  at  its 
strongest  strength,  256  bit. 


IBM  Shifts  Life-Cycle  Management  Focus 


BY  JAIKUMAR  VIJAYAN 

IBM  will  launch  by  year’s  end 
bundled  Express  versions  of 
its  product  life-cycle  manage¬ 
ment  (PLM)  software  as  part 
of  a  recently  announced  cam¬ 
paign  targeting  small  and  mid¬ 
size  manufacturing  companies. 

Under  the  first  phase  of  the 
initiative,  IBM  will  attempt  to 
sell  PLM  software  that’s  tuned 
for  deployment  in  companies 
that  manufacture  industrial 
machinery  and  components, 
mobile  equipment  and  con¬ 
sumer  goods.  PLM  tools  are 


designed  to  improve  manufac¬ 
turing  efficiency,  product 
quality  and  time  to  market. 

IBM’s  effort  addresses  an 
important  need,  according  to 
Ed  Miller,  president  of  CIM- 
data  Inc.,  a  consultancy  in 
Ann  Arbor,  Mich. 

“If  you  look  at  the  PLM 
market,  the  majority  of  invest¬ 
ments  has  traditionally  come 
from  major  companies,”  Miller 
said.  “But  what  we  are  finding 
over  the  last  couple  of  years  is 
an  increasing  interest  from 
small  to  midsize  organiza¬ 


tions”  that  want  to  take  advan¬ 
tage  of  the  potential  benefits 
of  PLM. 

Jomico  Metal  Fabricators,  a 
sheet  metal  shop  in  St.  Louis, 
is  considering  implementing  a 
document  management  capa¬ 
bility  for  its  CATIA  engineer¬ 
ing  software  from  IBM.  The 
company  is  a  supplier  to  the 
likes  of  Lockheed  Martin 
Corp.  and  The  Boeing  Co.  and 
is  under  pressure  to  stream¬ 
line  the  process  for  managing 
its  engineering  documents. 

“A  lot  of  our  customers  are 


ISO-certified,  and  they  like  to 
see  their  vendors  in  compli¬ 
ance  as  well,”  said  Dave  Hen¬ 
son,  CAD/CAM  systems  man¬ 
ager  at  Jomico.  But  until  now, 
Jomico  couldn’t  afford  to  im¬ 
plement  a  PLM  capability. 

The  hope  is  that  IBM’s  PLM 
Express  initiative  will  change 
that,  Henson  said. 

The  idea  is  to  take  some  of 
the  complexity  and  cost  out  of 
PLM  deployments,  especially 
for  smaller  companies  where 
both  issues  are  critical  to  tech¬ 
nology  adoption,  said  Debbie 
Walker,  a  product  manager 
with  IBM’s  PLM  group.  I 
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Has  your  Web  Hosting  provider 
left  you  dangling? 

Put  your  business  on  solid  ground.  While  some  Web  Hosting  providers  are  abandoning  their  hosting  operations 
or  struggling  with  questionable  finances,  AT&T  continues  to  grow  and  integrate  our  hosting  services  into  our  networking 
architecture  to  ensure  predictable  performance  of  your  applications  environment. 

You  can  count  on  AT&T’s  best-in-class  hosting  services  to  deliver: 

™  Performance  advantages  of  a  24X365  predictive  management  platform. 

—  Stability,  security  and  reliability  of  AT&T’s  global  data  centers. 

™  Scalability,  on-demand  capacity  and  ultra  availability  of  AT&Ts  enterprise  networking  solutions. 

™  Industry-leading  portal  and  reporting  services  for  optimum  control  and  visibility. 

™  Expertise  and  support  of  AT&T  resources. 

AT&T  hosting  professionals  will  ensure  your  migration  is  as  simple  and  as  efficient  as  possible. 

Contact  your  AT&T  Representative  or  our  Rapid  Response  Team  at  I  866  409-7054, 
or  visit  www.att.com/hosting. 

AT&T 

‘Eligibility  and  certain  restrictions  apply.  Call  or  log  on  to  learn  more.  Offer  expires  8/31/03. 


Special  Transition  Offer* 


•  FREE  migration  and 
transition  services 

•  Aggressive  and  competitive 
financial  incentives 

•  Generous  hardware  trade-ins 

•  Flexible  contract  terms 

•  Full  satisfaction  guaranteed 


Unisys  Tunes  JVM  for  ES7000 


Provides  Unix  alternative  by  enabling 
Java  applications  to  run  on  Datacenter 


BY  CAROL  SLIWA 

nisys  corp.  today  is 
making  available  a 
Java  virtual  ma¬ 
chine  (JVM)  that  it 
has  specially  tuned  for  its  32- 
processor  ES7000  system  run¬ 
ning  Microsoft  Corp.’s  high- 
end  Windows  Datacenter 
server  operating  system. 

The  Blue  Bell,  Pa.-based 
company  claims  that  its  new 
JVM  —  which  will  enable  Java 
applications  to  run  on  Win¬ 
dows  on  the  ES7000’s  Intel- 
based  processors  —  will  pro¬ 
vide  an  alternative  to  Unix  for 
independent  software  vendors 
and  enterprise  customers  who 
need  high-end,  enterprise- 
class  performance  with  Java. 

But  it’s  unclear  how  much 
appeal  the  JVM  will  hold  for 
existing  ES7000  customers, 


many  of  whom  are  devoted 
Microsoft  users. 

“We  are  currently  commit¬ 
ted  to  Microsoft  development, 
so  the  use  of  Java  isn’t  current¬ 
ly  entertained  here,”  said  Mor¬ 
ris  Koeneke,  a  database  ser¬ 
vices  manager  at  Addison, 
Texas-based  Mary  Kay  Inc., 
which  has  several  ES7000s. 

Bob  Crownhart,  an  IT  direc¬ 
tor  at  Premera  Blue  Cross  in 
Mountlake  Terrace,  Wash., 
said  the  health  insurer  doesn’t 
run  Java  applications  on  its 
ES7000  or  have  any  plans  to 
do  so.  But  he  added  that  he 
has  no  problem  with  Unisys 
developing  a  JVM  for  the 
ES7000,  as  long  as  it’s  an 
optional  element. 

Crownhart  said  he  doesn’t 
like  to  see  Unisys  depart  from 
Microsoft’s  direction  and 


would  have  concerns  if  Unisys 
shipped  the  JVM  with  the 
ES7000  and  it  affected  the  ser¬ 
vice  packs  or  maintenance  re¬ 
leases  that  Unisys  ships. 

“In  those  service  packs, ' 
we’d  have  to  look  for  any 
patches  or  hot  fixes  to  that 
specialized  [JVM],  because 
you  know  they’re  not  going 
to  code  it  right  the  first  time,” 
Crownhart  said.  A  “cus¬ 
tomized  piece,”  such  as  the 
Unisys  JVM,  might  “thwart 
uniformity,”  he  added. 

Gauging  User  Interest 

Walt  Lapinsky,  director  of 
strategic  software  at  Unisys, 
said  the  new  JVM  can  be 
downloaded  at  no  charge.  He 
said  the  company  will  consid¬ 
er  shipping  it  with  the  ES7000 
if  interest  is  high. 

The  Unisys  JVM  has  been 
available  in  beta  format  for 
roughly  a  year,  and  a  few  cus¬ 
tomers  and  independent  soft- 


NEW  PRODUCT 

Java  on  Windows 

The  new  JVM  from  Unisys  is 
designed  for  the  following: 

Windows  Server  2003  Data¬ 
center  and  Enterprise  editions 

Windows  2000  Datacenter 
Server  and  Advanced  Server 


ware  vendors  have  used  it, 
Lapinsky  said.  Unisys  declined 
to  provide  the  names  of  any 
beta  testers. 

Lapinsky  said  customers 
that  are  trying  to  consolidate 
servers  for  ease  of  manage¬ 
ment  are  unable  to  do  so  with 
their  Java  applications  in  the 
Windows  Datacenter  environ¬ 
ment,  so  Unisys  saw  a  need  to 
provide  a  way  to  do  that. 

John  Meyer,  an  analyst  at 
Cambridge,  Mass.-based  For¬ 
rester  Research  Inc.,  said  it 
made  sense  for  Unisys  to  be¬ 
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gin  supporting  Java  as  pro¬ 
actively  as  it  does  Microsoft, 
since  Java  on  Unix  has  been 
the  more  credible  platform  for 
large-scale,  back-office  appli¬ 
cations  in  the  past  two  years. 

Meyer  said  he  thinks  the 
trend  will  continue  toward 
Intel-based  systems  hosting 
what  Unix  systems  have  tradi¬ 
tionally  been  known  for.  Win¬ 
dows  can  be  a  viable  operating 
system  for  deploying  applica¬ 
tions  that  need  significant 
scalability,  and  users  can  do  it 
at  a  lower  cost  than  with  Unix 
systems,  he  said. 

But  Meyer  said  Unisys  will 
need  to  get  application  server 
vendors  to  support  its  JVM 
in  order  to  have  a  viable  offer¬ 
ing.  “Unless  the  other  vendors 
support  it,  the  uptake  in  the 
use  of  it  for  J2EE  on  the  Uni¬ 
sys  platform  will  probably  be 
much  less  than  what  it  has  the 
potential  for  being,”  he  said. 

So  far,  there  has  been  no  in¬ 
dication  of  whether  IBM  and 
BEA  Systems  Inc.,  the  leading 
Java  application  server  ven¬ 
dors,  will  provide  support.  I 


Group  Led  by  IBM,  Microsoft 
Releases  User  Identity  Spec 


Must  converge  with 
user-backed  Liberty 
Alliance’s  work 

BY  CAROL  SLIWA  AND 
TOMMY  PETERSON 

The  fifth  of  seven  parts  of  a 
Web  services  security  plan 
drawn  up  15  months  ago  by 
IBM  and  Microsoft  Corp. 
emerged  last  week.  But  it  will 
have  to  be  reconciled  with 
work  already  done  by  the 
user-backed  Liberty  Alliance 
Project. 

The  newest  specification, 
called  Web  Services  Federa¬ 
tion  (WS-Federation),  de¬ 
scribes  how  to  exchange  user 
identity  information  among 
systems  that  rely  on  different 
security  models.  VeriSign  Inc., 
BRA  Systems  Inc.  and  RSA  Se¬ 
curity  Inc.  helped  IBM  and 
Microsoft  draft  the  specifica¬ 
tion,  which  will  now  be  sub¬ 


ject  to  a  public  review  period 
of  an  undetermined  duration. 

Even  though  the  170-mem¬ 
ber-plus  Liberty  Alliance  has 
focused  on  federated  identity, 
the  smaller  group  led  by  IBM 
and  Microsoft  said  its  efforts 
won’t  stand  in  conflict.  The 
Liberty  Alliance’s  membership 
extends  beyond  technology 
vendors  to  companies  such  as 
American  Express  Co.,  Bank 
of  America  Corp.,  General 
Motors  Corp.  and  UAL  Corp. 

“We’re  anxious  to  work 


with  them  to  find  a  way  for 
them  to  take  advantage  of  this 
key  infrastructure,”  said  Karla 
Norsworthy,  director  of  dy¬ 
namic  e-business  technolo¬ 
gies  at  IBM. 

Steven  VanRoekel,  director 
of  Web  services  marketing  at 
Microsoft,  said  the  technology 
introduced  in  WS-Federation  is 
“very  complementary”  to  the 
Liberty  Alliance’s  work.  He 
said  Liberty  targeted  the  spe¬ 
cific  scenario  of  consumers 
opting  to  allow  their  informa¬ 


tion  to  be  shared  among 
corporations  or  service  pro¬ 
viders,  whereas  WS-Federation 
addresses  the  broader  issue  of 
federating  multiple  identity 
systems  to  one  another. 

“Right  now,  WS  specs  are 
underspecified,  and  Liberty 
specs  are  overspecified.  It 
would  obviously  help  if  peo¬ 
ple  would  get  in  a  room  and 
talk  about  it,  but  I  don’t  know 
how  soon  that  will  happen,” 
said  Bob  Blakley,  chief  scien¬ 
tist  for  security  and  privacy 
at  IBM’s  Tivoli  Software  divi¬ 
sion.  He  also  worked  on  the 
Security  Assertion  Markup 
Language  standard  that  is  key 
to  the  Liberty  Alliance’s  work. 

For  its  part,  the  Liberty  Al¬ 
liance  welcomed  the  focus  on 
federated  identity  and  pledged 
to  look  at  the  WS-Federation 
specification  once  it  goes  to  an 
open-standards  body. 

“Convergence  of  the  two 
standards  would  benefit 
everyone,  rather  than  having 
a  holy  war,”  said  Slava  Kavsan, 
vice  president  of  engineering 
at  RSA  Security,  which  is  a 
member  of  Liberty  Alliance 


and  has  also  worked  with  the 
IBM/Microsoft  group. 

Eric  Norlin,  vice  president 
of  strategic  marketing  at  Ping 
Identity  Corp.,  a  Liberty  Al¬ 
liance  member  in  Denver,  not¬ 
ed  that  convergence  wouldn’t 
be  unprecedented.  He  said  the 
Liberty  Alliance  moved  quick¬ 
ly  to  adopt  relevant  parts  of 
the  WS-Security  specification 
once  IBM,  Microsoft  and 
VeriSign  turned  it  over  to  the 
Organization  for  the  Advance¬ 
ment  of  Structured  Informa¬ 
tion  Standards  (OASIS). 

The  authors  of  WS-Federa- 
tion  pledged  to  submit  the 
specification  to  a  standards 
body.  No  decision  has  been 
made  about  which  one,  but 
Norsworthy  said  OASIS  is  a 
“very  likely  candidate.” 

WS-Security,  the  first 
of  the  road  map  specifica¬ 
tions  to  be  published,  went 
to  OASIS  in  September.  WS- 
Policy,  WS-Trust  and  WS- 
SecureConversation,  which 
were  published  in  December, 
are  still  in  the  review  stage 
and  have  yet  to  be  submitted 
to  a  standards  body.  I 


What  WS-Federation  Includes 


Web  Services  Federation  Language:  Defines  how  different  security  sys¬ 
tems  broker  identities,  attributes  and  authentication  among  Web  services. 

Passive  Requestor  Profile:  Describes  how  federation  mechanisms  can  be 
used  by  passive  clients,  such  as  Web  browsers  or  Web-enabled  cell  phones, 
to  provide  identity  services 

Active  Requestor  Profile:  Defines  how  federation  mechanisms  can  be 
used  by  active  clients,  such  as  Web  services  and  smart  clients. 


Our  post-relational  database. 

The  end  of  object-relational  mapping. 


i 
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For  your  next  generation  of  applications, 
move  to  the  next  generation  of  database  technology: 
Cache,  the  post-relational  database. 

What  makes  Cache  “post-relational”?  It  provides 
developers  three  integrated  data  access  options  which 
can  be  used  simultaneously  on  the  same  data:  an 
advanced  object  database,  high-performance  SQL, 
and  rich  multidimensional  access. 

Because  Cache’s  architecture  is  a  multi¬ 
dimensional  structure,  applications  built  on  it  are 
massively  scalable  and  lightning-fast. 

Plus,  no  mapping  is  required  between  object, 
relational,  and  multidimensional  views  of  data. 

This  means  huge  savings  in  both  development  and 
processing  time.  And,  Cache-based  applications 
don’t  require  frequent  database  administration  or 
hardware  and  middleware  upgrades. 


More  than  just  a  database  system,  Cache 
incorporates  a  powerful  Web  application  develop¬ 
ment  environment  that  dramatically  reduces  the 
time  to  build  and  modify  applications. 

The  reliability  of  Cache  is  proven  every  day  in 
“life-or-death”  applications  at  hundreds  of  the  largest 
hospitals.  Cache  is  so  reliable,  it’s  the  world’s  leading 
database  in  healthcare  -  and  it  powers  enterprise 
applications  in  financial  services,  government  and 
many  other  sectors. 

We  are  InterSystems,  a  specialist  in  database 
technology  for  25  years.  We  provide  24x7  support  to 
four  million  users  in  88 
countries.  Cache  is  available 
for  Windows,  Open  VMS, 

Mac  OS  X,  Linux  and 
major  UNIX  platforms.  Make  Applications  Faster 


InterSystems  / 

E  CACHE 


Download  a  fully-functional  version  of  Cache  or  request  it  on  CD  for  free  at  www.lnterSystems.com/post-relational 

©  2003  InterSystems  Corporation.  All  rights  reserved.  InterSystems  Cach4  is  a  registered  trademark  of  InterSystems  Corporation. 
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Software  Market  Hit 
By  Purchasifjg  Delays 


While  vendors’  financials  fall  short, 
users  benefit  from  tough  sales  climate 


BY  STACY  COWLEY 

CITING  PURCHASING 
delays  stemming 
from  the  troubled 
economy,  quite  a  few 
software  vendors 
are  already  warning 
that  the  numbers 
will  be  grim  when 
they  release  their  financial  re¬ 
sults  later  this  month  for  the 
quarter  that  ended  June  30. 

While  PeopleSoft  Inc.  in 
Pleasanton,  Calif.,  unexpect¬ 
edly  lived  up  to  earlier  fore¬ 
casts  despite  pressure  from 
Oracle  Corp.’s  hostile  takeover 
bid,  fellow  enterprise  applica¬ 
tions  maker  Siebel  Systems 
Inc.  in  San  Mateo,  Calif., 
warned  for  the  second  quarter 
in  a  row  that  it  will  miss  its 
earlier  guidance. 

Houston-based  systems 
management  software  devel¬ 
oper  BMC  Software  Inc.  also 
fell  short  of  expectations  for 
its  most  recent  quarter,  as  did 
all  four  of  the  major  pure-play 
enterprise  application  integra¬ 
tion  vendors:  Tibco  Software 
Inc.,  WebMethods  Inc.,  See- 
Beyond  Technology  Corp.  and 
Vitria  Technology  Inc. 

Some  Goods  News 

Even  though  most  of  this 
quarter’s  earnings  warnings 
came  from  software  compa¬ 
nies,  analysts  said  that  the 
problems  are  concentrated  in 
certain  niches  and  that  the 
software  sector  overall  re¬ 
mains  healthy. 

“I’m  more  looking  at  the 
glass  as  half-full.  In  general, 

I’m  seeing  a  lot  of  buying,”  said 
Joshua  Greenbaum,  founder  of 
Enterprise  Applications  Con¬ 
sulting  Inc.  in  Daly  City,  Calif. 

In  the  turbulent  enterprise 
applications  market,  top  ven¬ 
dors  SAP  AG,  Oracle,  People- 
Soft  and  Denver-based  J.D.  Ed¬ 
wards  &  Co.  are  all  perform- 


IT  SPENDING 


ing  well,  said  Greenbaum,  who 
added  that  he  sees  Siebel’s 
string  of  rough  quarters  as  a 
company-specific  issue. 

“Siebel  wants  to  blame  the 
economy  for  the 
trouble,  but  I  really 
think  fundamental¬ 
ly  they  have  some 
serious  holes  in  their  product 
strategy  that  are  really  coming 
home  to  roost,”  he  said. 

While  other  developers  of¬ 
fer  clients  full  portfolios  of  ap¬ 
plications  to  handle  a  variety 
of  corporate  operations,  Siebel 
has  remained  focused  almost 
exclusively  on  CRM  offerings. 
And  that  focus  will  continue 
to  cost  the  company  sales  as 
customers  increasingly  seek 
integrated  suites,  he  predicted. 


Gartner  Inc.  analyst  Tom 
Topolinski  contends  that 
Siebel’s  future  isn’t  quite  that 
bleak.  All  of  the  CRM  vendors 
are  adjusting  to  a  market  that 
will  never  again  grow  at  the 
rate  it  did  in  the  late  1990s, 
and  none  of  them  have  yet 
perfected  their  formulas  for 
generating  sales  in  the  new 
environment,  said  Topolinski, 
research  director  of  Stamford, 
Conn.-based  Gartner’s  world¬ 
wide  software  applications 
group. 

The  rate  at  which  sales  are 
declining  has  slowed,  but 
CRM  vendors  won’t  hit  bot¬ 
tom  and  begin  to  turn  the  cor¬ 
ner  toward  growth  until  the 
third  or  fourth  quarter  of  this 
year,  he  predicted.  Gartner  es¬ 
timates  that  new  worldwide 
CRM  license  sales  declined 
25%  in  2002,  to  $2.8  billion, 
and  will  fall  another  16%  in 


House  Cuts  Pentagon’s 


Lawmakers  cite 
lack  of  oversight 

BY  DAN  VERTON 

The  U.S.  House  of  Representa¬ 
tives  last  week  passed  a  de¬ 
fense  spending  bill  that,  if  ap¬ 
proved  by  the  Senate,  would 
significantly  reduce  invest¬ 
ment  in  technology  that’s  key 
to  the  U.S.  Department  of 
Defense’s  so-called  transfor¬ 
mation  effort. 

The  House  voted  399-19  to 
cut  $320  million  in  IT  spend¬ 
ing  across  the  operations  and 
maintenance  accounts  of  all 
four  military  services.  The 
Navy  and  Air  Force  each  lost 
$100  million  in  planned  spend¬ 
ing,  while  Army  and  depart¬ 
mentwide  IT  programs  were 
each  reduced  by  $60  million. 
The  Pentagon  had  requested 
$28  billion  in  departmentwide 
spending  on  IT  programs. 

Officials  from  the  Army, 


Navy  and  Air  Force  declined 
to  comment  last  week  on  what 
one  official  from  the  Army 
CIO’s  office  called  pending 
legislation.  The  House  and 
Senate  must  still  hash  out  a 
compromise  on  the  measure 
in  a  joint  session. 

However,  in  a  report  on 
the  bill  published  July  2,  the 
House  Appropriations  Com¬ 
mittee  said  it  was  concerned 
about  the  continued  growth  of 
IT  programs,  especially  opera¬ 
tions  and  maintenance  ac¬ 
counts.  In  addition,  lawmakers 
said  they  have  reservations 
about  a  “lack  of  oversight  and 

[IT  spending 
is]  the  last 
thing  that  should  be 
cut,  not  the  first. 

JAMES  ADAMS,  CEO.  THE  ASHLAND 
INSTITUTE  FOR  STRATEGIC  STUDIES 


Revenue  Roll  Call 


VENDOR 

JUNE '02 
QUARTER  REV. 

JUNE ’03 
QUARTER  REV. 

BMC  Software 

H  S305.2M 

■1 

$3Q5M-$312M* 

Computer  Associates 

H  $765M 

gggg  ng 

SH 

$803, 3M** 

Microsoft 

$7.25B 

11 

$7.88B” 

Oracle 

If  S2.77B 

$2.S3Bf  j| 

PeopleSoft 

S482.2M 

$490M-$500M* 

SAP 

S2.03B 

IH  No  estimate  available 

Siebel 

S405.6M 

11 

S330M-S334M* 

NOTES:  ’Preliminary  estimate  from  company  management 
’’Consensus  estimate  of  analysts  polled  by  Thomson  Financial/First  Call 
JQuarter  ended  May  31 


2003  before  finally  picking  up 
to  a  1%  growth  rate  in  2004. 

With  even  the  healthiest 
companies  sensitive  to  the 
tough  climate  for  software 
sales,  the  vendors’  bane  can  be 
the  customers’  boon. 

J.E.  Henry,  CIO  at  Knoxville, 
Tenn.-based  movie  theater 
operator  Regal  Entertainment 
Group,  recently  went  shop¬ 
ping  for  a  CRM  system  for 
Regal’s  Denver-based  Regal 
CineMedia  advertising  sub¬ 
sidiary.  After  evaluating 


several  vendors,  Henry  settled 
on  PeopleSoft’s  technology  as 
the  best  match  for  Regal  Cine- 
Media’s  needs.  But  all  of  the 
vendors  he  talked  with  offered 
more  flexibility  than  was  com¬ 
mon  two  years  ago,  he  said. 

“The  software  vendors  are 
very  open  to  negotiating,  as  far 
as  pricing  and  contract  terms,” 
he  said.  “That  tells  you  some¬ 
thing  about  the  market.”  I 


Cowley  is  a  reporter  for  the  IDG 
News  Service. 


IT  Budget 

management  attention”  given 
to  many  Pentagon  IT  pro¬ 
grams. 

“Over  the  last  two  fiscal 
years,  the  information  tech¬ 
nology  budget  has  increased 
over  15%  in  the  operation  and 
maintenance  accounts,”  the 
report  said.  “While  the  Com¬ 
mittee  fully  supports  the 
transformational  efforts  of  the 
department,  the  Committee 
continues  to  believe  that  the 
Department  of  Defense  must 
be  more  effective  in  eliminat¬ 
ing  unneeded  legacy  systems 
and  consolidating  the  large 
number  of  disparate  networks 
that  are  currently  being 
maintained.” 

A  senior  staff  member  on 
Capitol  Hill  who  spoke  on 
condition  of  anonymity  said 
the  basic  reason  for  the  reduc¬ 
tions  is  the  Pentagon’s  “lack  of 
a  coherent  strategy”  when  it 
comes  to  IT  investments. 

“We’re  not  seeing  a  whole 


lot  of  effective  program  man¬ 
agement  either,”  said  the 
staffer.  “Until  they  get  that 
right,  how  can  they  expect  us 
to  keep  funding  these  pro¬ 
grams  at  the  levels  they  are 
requesting?” 

A  ‘Warning  Shot’ 

James  Adams,  founder  and 
CEO  of  The  Ashland  Institute 
for  Strategic  Studies  in  Ash¬ 
land,  Ore.,  and  a  former  IT  ad¬ 
viser  for  the  National  Security 
Agency,  said  the  cuts  aren’t  so 
deep  as  to  signal  a  major  tech¬ 
nology  crisis  for  the  Defense 
Department. 

“Usually,  these  sums  of 
money  are  warning  shots,” 
said  Adams.  “Still,  it  doesn’t 
seem  very  rational  to  me.  The 
requirement  to  make  the  ser¬ 
vices  [fight  more  effectively  as 
a  team]  is  more  investment  in 
IT  infrastructure,  not  less.  You 
can’t  effectively  [integrate  mil¬ 
itary  services]  unless  you  have 
a  solid  IT  infrastructure.  It’s 
the  last  thing  that  should  be 
cut,  not  the  first.”  I 
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WE'RE  NOT  HERETO  TELL  YOU 
THAT  ANTI-VIRUS  AND 
FIREWALLS  AREN'T  ENOUGH. 


THAT'S  WHAT  WORMS  ARE  FOR. 
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Dynamic  Threat  Protection.  The  most  complete  protection  available. 

Most  large-scale  Internet  attacks  completely  bypass  firewalls  and  anti-virus.  We  stop  these 
threats  cold.  How?  Simple.  We  are  #1  in  the  world  for  security  intelligence  and  threat  protection 
technology.  We  deliver  the  fastest,  most  accurate  detection,  prevention  and  response  solution. 
We  call  it  Dynamic  Threat  Protection.  Visit  us  at  www.iss.net/iss-cw  or  call  800-776-2362. 
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HP  Agrees  to  Buy 
Security  Software 


Hewlett-Packard  Co.  said  it  has 
agreed  to  buy  Web-based  user 
identity  management  software 
from  Baltimore  Technologies  PLC 
in  Hemel  Hempstead,  England. 
HP  will  pay  about  $13.6  million  in 
cash  for  the  SelectAccess  tech¬ 
nology,  according  to  Baltimore, 
which  is  looking  to  sell  off  all  its 
operations.  The  deal  between  the 
two  companies  is  expected  to  be 
completed  next  month. 


Symbol’s  Chairman 
Steps  Down . . . 

Symbol  Technologies  Inc.  said 
Jerome  Swartz  has  resigned  as 
chairman  and  chief  scientist  of 
the  Holtsville,  N.Y.-based  com¬ 
pany,  which  is  being  investigated 
for  accounting  violations  by  the 
U.S.  Securities  and  Exchange 
Commission  and  the  U.S.  attor¬ 
ney’s  office  in  New  York.  CEO 
Richard  Bravman  will  serve  as 
chairman  until  the  maker  of 
wireless  devices  and  bar  code 
scanners  holds  its  annual  share¬ 
holders’  meeting  in  October. 


. . .  While  Two  Top 
Execs  Exit  Proxim 

Proxim  Corp.,  a  Sunnyvale, 
Calif.-based  maker  of  wireless 
LAN  equipment,  announced  that 
Chairman  Jonathan  Zakin  and 
Vice  Chairman  David  King  will 
both  resign  from  its  board  and 
give  up  their  positions  as  corpo¬ 
rate  officers.  Proxim  also  said 
that  it  expects  to  report  a  loss  of 
about  $50  million  on  revenue  of 
approximately  $35  million  for 
the  second  quarter. 

Short  Takes 

Thomas  Lesica  was  named 
group  vice  president  of  global  IT 
and  business  operations  at 
nV'AYA  INC  in  Basking  Ridge, 

N.J. . . .  INTEL  CORP.  said  it  has 
acquired  WEST  BAY  SEMICON¬ 
DUCTOR  INC.,  a  Vancouver, 
British  Columbia-based  maker  of 
optical  networking  chips. 


HEWS 


www.computerworld.com 


CA  Event  to  Focus  on  Security, 
On-Demand  Technologies 

Software  vendor  expected  to  announce 
release  of  security  portal  at  conference 


BY  MARC  L.  SONGINI 

As  it  tries  to  cope  with  the 
continuing  lull  in  IT  spending, 
Computer  Associates  Interna¬ 
tional  Inc.  is  expect¬ 
ed  to  make  big  push¬ 
es  on  security  and 
on-demand  comput¬ 
ing  technology  at  its  annual 
user  conference  this  week. 

Among  the  announcements 
expected  at  CA  World  2003  in 
Las  Vegas  is  the  release  of  the 
company’s  eTrust  Security 
Command  Center  software,  a 
portal-based  product  that  will 
let  IT  staffers  centrally  man¬ 
age  security  applications  from 
different  vendors  across  a  va¬ 
riety  of  systems.  CA  detailed 


its  plans  for  the  portal  tech¬ 
nology  last  September  [Quick- 
Link  32832]. 

CA  officials  declined  to 

comment  about  other 
product  develop¬ 
ments  that  will  be  dis¬ 
cussed  this  week.  But 
based  on  the  agenda  for  CA 
World,  the  vendor  will  also 
promote  its  efforts  around  Lin¬ 
ux  adoption  and  further  detail 
its  strategies  for  supporting  on- 
demand  computing  and  Web 
services  technology. 

For  example,  CA  likely  will 
announce  new  automated  pro¬ 
visioning  capabilities  designed 
to  let  IT  managers  more  fully 
exploit  the  network  and  server 


assets  they  have  in  their  data 
centers,  sources  said. 

The  company  made  its  initial 
foray  into  on-demand  comput¬ 
ing  in  late  April,  when  it  un¬ 
veiled  a  set  of  six  new  or  up¬ 
graded  software  products  that 
can  be  used  to  dynamically  al¬ 
locate  computing  resources  to 
specific  applications  as  busi¬ 
ness  demands  change. 

Rich  Ptak,  an  analyst  at  Ptak 
&  Associates  Inc.  in  Amherst, 
N.H.,  said  on-demand  technol¬ 
ogy  should  help  corporate 
users  get  improved  payback 
from  their  existing  IT  infra¬ 
structures.  CA’s  offering  is  fo¬ 
cused  on  companies’  need  to 
rapidly  install  new  applica¬ 
tions,  he  added. 

Electronic  Theatre  Controls 
Inc.,  a  Middleton,  Wis.-based 
maker  of  theatrical  lighting 


equipment,  uses  CA’s  Unicen¬ 
ter  systems  management  soft¬ 
ware.  Mike  Eckert,  an  enter¬ 
prise  automation  specialist  at 
the  company,  said  his  CA 
World  plans  include  looking  at 
CA’s  eTrust  Intrusion  Detec¬ 
tion  software  as  a  tool  that 
could  “help  filter  what  Web 
sites  users  can  go  see.” 

In  addition,  Eckert  said  he’s 
interested  in  examining  prod¬ 
ucts  that  can  help  beef  up 
Electronic  Theatre  Controls’ 
virus-protection  capabilities 
and  investigating  how  Unicen¬ 
ter  integrates  with  the  overall 
eTrust  product  line. 

Mike  Stevenson,  enterprise 
administrator  at  the  Peel  Re¬ 
gional  Police  data  center  in 
Brampton,  Ontario,  also  plans 
to  attend  CA  World.  But 
Stevenson  said  that  he’s  less 
interested  in  learning  about 
specific  product  capabilities 
than  he  is  in  hearing  about 
CA’s  overall  strategic  direc¬ 
tion.  The  police  agency  is  also 
a  Unicenter  user.  I 
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Sarbanes 

AMR  Research  Inc.  in  Boston. 
From  an  IT  perspective,  Sec¬ 
tion  409  “will  cause  the  most 
heartburn”  of  all  the  Sarbanes- 
Oxley  mandates,  he  said. 

Jim  Honerkamp,  CIO  at  Clo- 
pay  Corp.,  said  officials  at  the 
Mason,  Ohio-based  building 
products  maker  “do  anticipate 
a  considerable  amount  of 
work”  being  necessary  in  IT 
because  of  Sarbanes-Oxley  re¬ 
quirements  like  the  ones 
spelled  out  in  Section  409. 

Honerkamp  has 
already  begun 
working  with  busi¬ 
ness  executives 
and  Clopay’s  audi¬ 
tors  to  define  inter¬ 
nal  control  process¬ 
es  for  complying 
with  facets  of  the 
new  law,  including  Section 
409.  But  he  acknowledged  that 
the  company’s  IT  department 
is  “just  starting”  to  focus  on  the 
software  development,  data  se¬ 
curity  and  consulting  invest¬ 
ments  that  will  be  needed. 

“Very  little  work  is  being 


done  on  Section  409,”  said 
Robert  Handler,  an  analyst  at 
Meta  Group  Inc.  in  Stamford, 
Conn.  “Most  of  the  work  that 
is  being  done  has  been  on 
Section  404.” 

That’s  the  case  at  Globix 
Corp.  Jameson  Holcombe,  se¬ 
nior  vice  president  of  opera¬ 
tions  at  Globix,  said  the  New 
York-based  provider  of  man¬ 
aged  IT  hosting  services  cur¬ 
rently  is  focusing  on  docu¬ 
menting  its  fmancial  and  ac¬ 
counting  processes  to  meet 
the  Section  404  requirements. 
Once  that  process  is  complet¬ 
ed,  which  Holcombe  expects 
to  happen  by  mid- 
September,  Globix 
officials  plan  to  be¬ 
gin  addressing  the 
company’s  automa¬ 
tion  needs,  includ¬ 
ing  ones  tied  to 
Section  409. 
Sarbanes-Oxley 
compliance  efforts  are  compli¬ 
cated  by  the  fact  that  much  of 
the  law’s  language  “is  so  am¬ 
biguous,”  Holcombe  said.  “For 
example,  what  is  ‘material’?” 
He  added  that  he  hopes  the 
SEC  will  publish  specific 
guidelines  for  complying  with 


Section  409  and  other  parts  of 
Sarbanes-Oxley  by  September. 

An  example  of  a  material 
event  that  may  fall  under  the 
requirements  of  Section  409  is 
the  loss  of  a  major  sales  con¬ 
tract  to  a  competitor,  Handler 
said.  Potential  sales  are  often 
taken  into  account  when  com¬ 
panies  make  public  revenue 
forecasts,  he  noted. 

Cost  overruns  on  IT  proj¬ 
ects  and  other  major  capital 
expenditures  could  also  quali¬ 
fy  as  material  events  that  need 
to  be  reported  to  interested 
parties  within  48  hours. 

Batch  of  Problems 

The  shift  to  a  near-real-time 
computing  environment  could 
be  particularly  onerous  for  IT 
departments  at  big  companies 
that  rely  heavily  on  batch 
processing,  such  as  banks  and 
telecommunications  carriers. 

Ulysses  Knotts,  CEO  of 
CommerceQuest  Inc.,  a  Tam¬ 
pa,  Fla.-based  vendor  of  proc¬ 
ess-modeling  software  for  Sar¬ 
banes-Oxley  compliance,  pre¬ 
dicted  that  most  big  users  will 
build  hybrid  batch  and  real¬ 
time  reporting  systems.  “Show 
me  a  company  worth  more 


HVery  little 
work  is 
being  done  on 
Section  409. 


ROBERT  HANDLER,  ANALYST. 

META  GROUP  INC. 

than  $10  billion  that’s  going  to 
eliminate  batch,”  he  said. 
“They  just  can’t  do  it.” 

Data  marts  that  extract  in¬ 
formation  from  transaction 
systems  might  provide  some 
relief  in  reporting  on  material 
events,  Knotts  said.  But  most 
existing  data  marts  have  been 
built  to  meet  planning  or  mar¬ 
keting  requirements  that  have 
turnaround  times  longer  than 
48  hours,  he  added. 

Handler  said  he’s  worried 
that  many  companies  will  pro¬ 
crastinate  about  taking  steps 
to  meet  the  Section  409  re¬ 
quirements.  He  drew  an  analo¬ 
gy  between  Sarbanes-Oxley 
and  how  businesses  reacted  to 
the  Y2k  problem.  “We  knew 
about  it,  then  hemmed  and 
hawed,  and  then  reacted  to  it 
again  with  two  years  to  go  and 
scrambled,”  Handler  said.  I 


MORE  ONLINE 

Standardized  IT  governance 
frameworks  could  help 
companies  to  comply  with 
Sarbanes-Oxley: 
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What  do  you  stand  to  gain  by  replacing  your  old  PCs?  A  lot,  for  starters. 


monitor  not  included 


HP  COMPAQ  d330 
SLIM  TOWER 

Starting  at: 

$599* 

Intel®  Pentium®  4  processor  2.40  GHz 
Small  footprint  design  for  limited  space 
environments 

Form  factor  can  be  used  as  a  desktop 
or  minitower 

Microsoft®  Windows®  XP  Pro 

Enhanced  serviceability  with  tool-less  access 

3-Year  Parts/ 1-Year  Labor/ 1-Year  On-site** 

Optional  HP  Drive  Key  (64MB)  mobile 
storage  solution 


No  matter  how  you  look  at  it,  you're  better  off  replacing  your  aging  PCs  than 

fixing  them.  When  you  consider  that  80%  of  PC  lifecycle  costs  are  in  support  and  maintenance,  it's  easy  to  see  that 
new  PCs  help  your  business  run  smoother.  By  replacing  PCs  three  or  more  years  old,  you'll  also  avoid  looming  security 
risks  associated  with  dated  technology.  You'll  enjoy  modern  security  and  an  old-fashioned  sense  of  well-being.  Productivity 
will  rise  and  blood  pressure  will  fall.  The  HP  d330  series  helps  you  do  more  because  it's  set  up  with  the  Intel*  Pentium® 4 
processor  2.40  GHz  and  plenty  of  RAM.  It  helps  you  do  more,  more  confidently,  with  the  advanced  security  of  Microsoft® 
Windows®  XP  Pro.  With  the  HP  Desktop  d330  series,  you  can  demand  more  accountability,  more  agility  and  a  better 
return  on  IT,  as  well  as  the  reliability,  service  and  support  you  get  with  any  HP  product. 


Upgrade  your  business  with  help  from  HP. 

To  learn  more,  call  your  HP  sales  representative 
or  visit  www.hp.com/go/pcupgrade3. 

HP  PC  MIGRATION  SERVICE 

Need  help  with  all  the  tasks  associated  with  upgrading  to  new  PCs? 

HP  can  help  with  disposal,  deployment,  data  migration  and  more. 

DESKTOP/NOTEBOOK  TRADE-IN 

Get  up  to  $220  cash  back  on  desktops  and  up  to  $500  cash  back  on  notebooks. 

CLIENT-MANAGEMENT  SOFTWARE  PROOF 
OF  CONCEPT 

On-site  trial  solution  showing  you  how  to  save  time  and  costs  in  IT  with 
managing  your  network  and  deploying  PCs. 

SECURITY  HEALTH  CHECK 

Do  you  know  where  your  IT  environment  is  vulnerable  to  security  risks? 

HP  offers  a  no-obligation,  on-site  security  assessment  of  your  network. 

ROI/TCO  SNAPSHOT 

Show  your  boss  how  you  can  save  the  company  IT  money  with  this 
customized  printout  of  your  business. 


invent 


HP  recommends  Microsoft®  Windows®  XP  Professional  for  Business. 


•Price  shown  is  I#*  direct  price;  monitor  is  not  included.  Reseller  and  retailer  prices  nay  vary  Price  shewn  is  sutyect  to  change  and  does  not  include  applicable  stale  3nd  local  taxes  or  shipping  to  recipient's  destination.  Optional  security  features  soM  separately  for  d330  senes.  Photujr  imy  mey  net  aco/aiiky  nyxcsenieiQd 
configurations  pneed.  While  supplies  Iasi  Limited  order  quantities.  HP  reserves  trie  nght  to  modify  or  withdraw  offers  or  promotions  at  any  tone.  Some  product  restrictions  or  other  fees  may  apply.  "Certain  warranty  restrictions  and  eiclusions  may  apply  For  ai^^  d«3  J4c  1 5t8  (U5J.  Moosrt!  am 

Windows  are  registered  trademarks  ot  Microsoft  Corporation  in  the  United  States  and/or  other  countries.  Intel.  Intel  Inside,  the  Intel  Inside  Logo,  Pentium  and  Celeron  are  trademarks  of  Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries  92003  Hewctt  Packard  Development  Company.  L  P 
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Hotel  Goes  Wireless 
With  Voice/Data  IP  Net 

Uses  new  SIP  standard  to  offer  voice 
and  text  messaging  via  wireless  phones 


BY  MATT  HAMBLEN 

otel  Common¬ 
wealth  in  Boston 
opened  last  month 
with  an  IP  network 
infrastructure  that  supports 
voice  and  text  messaging  to  in¬ 
hotel  wireless  phones  and  oth¬ 
er  interactive  applications  for 
guests,  all  relying  on  the  Ses¬ 
sion  Initiation  Protocol  (SIP). 

A  few  other  U.S.  hotels,  in¬ 
cluding  the  Sheraton  Sonoma 
County  in  Petaluma,  Calif., 
have  deployed  combined 
voice  and  data  IP  networks. 
But  Hotel  Commonwealth’s 
use  of  the  emerging  SIP  inter¬ 
operability  standard  appears 
to  be  a  first  in  the  hospitality 
industry,  said  Brian  Riggs,  an 
analyst  at  Sterling,  Va. -based 


Current  Analysis  Inc. 

Paris-based  Alcatel  SA  last 
week  announced  that  it  pro¬ 
vided  the  IP  switches  that  sup¬ 
port  SIP  at  the  heart  of  the  ho¬ 
tel’s  network,  plus  its  Alcatel 
Personal  Wireless  Telephony 
phones.  Hotel  Commonwealth 
guest  rooms  also  have  wire- 
line  IP  phones  that  can  receive 
text  and  graphical  messages 
on  3-by-3-in.  screens.  Those 
phones  are  made  by  Woburn, 
Mass.-based  Pingtel  Corp. 

Timothy  Kirwan,  managing 
director  of  the  independently 
operated  hotel,  said  the  IP 
voice  and  data  technology  was 
chosen  over  a  traditional  pri¬ 
vate  branch  exchange  (PBX). 

An  IP-based  system  that 
supports  SIP  offers  more  flexi¬ 


bility  for  adding  features  or 
applications,  and  it  “won’t  be 
obsolete  in  three  to  five 
years,”  Kirwan  said.  Cisco  Sys¬ 
tems  Inc.  was  the  other  finalist 
for  the  switch  deal,  he  added. 

“We  were  very  concerned 
about  the  intuitiveness  of  the 
technology,”  Kirwan  said, 
since  most  hotel  guests  stay 
less  than  48  hours  and  won’t 
tolerate  having  to  master  com¬ 
plex  products.  But  the  IP  de¬ 
vices  appear  to  be  catching  on, 
he  said,  noting  that  he  saw 
guests  carrying  Alcatel’s  wire¬ 
less  phones  on  the  first  day 
the  hotel  was  open. 

Riggs  said  the  Hotel  Com¬ 
monwealth’s  network  is  the 
largest  IP  convergence  project 
undertaken  by  a  U.S.-based 
hotel  that  he’s  aware  of. 

Alcatel’s  commitment  to  SIP 
was  an  important  decision 
that  adds  a  layer  of  standard¬ 


ization  to  the  hotel’s  choice  to 
go  with  IP  technology,  said 
Stewart  Randall,  principal 
consultant  at  Communications 
Design  Associates  Inc.  in  Nor¬ 
wood,  Mass.  Randall  acted  as 
the  lead  IT  consultant  on  the 
project,  starting  in  1998. 

SIP  has  yet  to  be  formally 
ratified  by  the  Internet  Engi¬ 
neering  Task  Force.  But  the 
use  of  the  technology  frees 
Hotel  Commonwealth  to  re¬ 
place  its  Alcatel  and  Pingtel 
phones,  if  necessary,  with  oth¬ 
er  devices  that  support  the 


standard,  Randall  said.  In  ad¬ 
dition,  other  network  devices 
and  applications,  such  as 
point-of-sale  or  call  account¬ 
ing  systems,  should  interoper¬ 
ate  with  Alcatel’s  OmniPCX 
Enterprise  IP-PBX  switches. 

Randall  said  the  hotel’s  IT 
infrastructure  cost  more  than 
$1  million  to  set  up.  But  de¬ 
spite  its  investments  in  the  IP 
network,  high-speed  Internet 
access  and  other  high-tech 
amenities,  the  hotel  isn’t  tack¬ 
ing  daily  user  fees  onto  its 
room  rates,  Kirwan  said.  I 


in  Boston  is  believed  to  be  the  first  company  in 
the  hospitality  industry  to  use  the  emerging  SIP  interoperability  standard. 
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Wi-Fi 


Wi-Fi  links  —  or  whether  they 
should  simply  provide  the  In¬ 
ternet  and  e-mail  access  capa¬ 
bilities  for  free  in  the  hope 
that  increased  sales  of  food, 
drinks  and  other  products  will 
more  than  offset  the  cost  of 
the  technology. 

That  issue  is  currently  being 
weighed  by  McDonald’s  Corp., 
which  last  week  launched  a 
Wi-Fi  pilot  project  at  75 
restaurants  in  the  San  Francis¬ 
co  Bay  area  through  a  deal 
with  Austin-based  Internet  ac¬ 
cess  provider  Wayport  Inc. 

Mark  Jamison,  vice  presi¬ 
dent  of  business  strategy  and 
development  at  McDonald’s, 
said  the  Oak  Brook,  Ill.-based 
company  will  use  the  San 
Francisco  trial  and  similar 
ones  in  Chicago  and  New  York 
to  evaluate  potential  pricing 
models  for  the  service  and 
Wi-Fi  technology’s  ability  to 
attract  customers. 

Altogether,  McDonald’s 


plans  to  equip  several  hundred 
restaurants  in  the  U.S.  with 
Wi-Fi  connections  by  year’s 
end.  Jamison  said  the  fast-food 
chain  is  charging  $4.95  for  two 
hours  of  Wi-Fi  access  at  the 
San  Francisco  locations,  but 
customers  who  buy  a  meal  can 
use  the  technology  for  free.  If 
a  free  service  tests  best  with 
potential  users,  then  that  is 
“the  path  to  follow,”  he  added. 

Valencia  Group,  a  Houston- 
based  hotel  operator,  decided 
to  offer  free  Wi-Fi  access  in  all 
public  areas  in  the  luxury- 
class  Hotel  Valencia  Santana 
Row,  which  opened  last  month 
in  San  Jose.  Matthew  Nuss, 
Valencia’s  executive  vice  pres¬ 
ident,  said  company  officials 
view  the  Wi-Fi  capability  as  a 
must-have  amenity  for  guests. 

“Wireless,  in  our  opinion,  is 
the  next  running  water,”  Nuss 
said.  “It’s  become  part  of  the 
infrastructure  of  a  hotel.”  The 
Valencia  Santana  Row  in¬ 
stalled  seven  wireless  access 
points  and  pays  about  $2,000 
per  month  for  the  lOOMB/sec. 
pipe  that  supports  the  Wi-Fi 


service.  Nuss  said  the  service 
is  well  worth  the  IT  cost  be¬ 
cause  it  helps  the  hotel  attract 
technology-savvy  travelers. 

Schlotzky’s  Inc.,  an  Austin- 
based  operator  of  deli-style 
restaurants,  currently  offers 
free  Wi-Fi  service  in  15  of  its 
600-plus  restaurants.  Monica 
Landers,  a  spokeswoman  for 
Schlotzky’s,  said  the  chain 
started  offering  Internet  ac¬ 
cess  capabilities  a  year  ago  as 
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a  community  service  and 
quickly  found  that  the  tech¬ 
nology  paid  off  in  terms  of  in¬ 
creased  customer  traffic. 

Twelve  company-owned 
stores  in  the  Austin  area  that 
offer  Wi-Fi  service  each  pull 
in  an  extra  23  customers  daily 
on  average,  Landers  said.  She 
added  that  customers  spend 
an  average  of  $6  each  per  visit, 
so  Schlotzky’s  easily  gets  a 
payback  on  the  $300  a  month 
it  pays  to  run  a  T1  line  to  a 
restaurant.  At  a  meeting  this 
week,  Schlotzky’s  officials 
plan  to  encourage  franchisees 
to  add  Wi-Fi  service  in  their 
restaurants. 

VIA  Rail  Canada  Inc.,  which 
operates  passenger  trains 
throughout  Canada,  last  week 
kicked  off  a  four-month  test  in 
which  it  will  offer  Wi-Fi  ac¬ 
cess  on  some  trains  between 
Montreal  and  Toronto. 

Guy  Faulkner,  product  man¬ 
ager  for  corridor  services  at 
Montreal-based  VIA,  said  the 
railway  won’t  charge  for  the 
service  during  the  trial.  But 
VIA  will  ask  passengers  what 


they  would  be  willing  to  pay 
for  Wi-Fi  access,  he  said. 

Seattle-based  Starbucks 
Corp.  launched  Wi-Fi  service 
in  its  U.S.  cafes  last  August 
and  now  offers  access  in  about 
2,000  locations.  Users  have  to 
sign  up  for  the  service  with 
Bellevue,  Wash.-based  T-Mo- 
bile  USA  Inc.,  whose  prices 
start  at  $19.99  per  month. 

Lovina  McMurchy,  director 
of  Wi-Fi  business  and  alliances 
at  Starbucks,  said  the  compa¬ 
ny  plans  to  stick  with  that  ap¬ 
proach.  But  she  added  that 
Wi-Fi  hot-spot  deployment  is 
“a  learning  experience”  for 
businesses  and  said  it’s  hard  to 
tell  how  different  pricing 
plans  or  free  services  will  play 
out.  At  this  point,  a  lot  of  com¬ 
panies  are  still  just  “dabbling” 
in  Wi-Fi  through  pilot  proj¬ 
ects,  McMurchy  said.  I 


ENTERPRISE  WI-FI 

AT&T  and  WorldCom  both  added  Wi-Fi 
access  capabilities  to  the  VF*N  services 
they  offer  to  corporate  users: 

OQuickLink  39743 
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FREE  White  Paper!  FREE  White  Paper  and  Network  Room  Infrastructure" 


"Avoiding  Costs  from  Oversizing 
Server  Room  and  Network 
Room  Infrastructure" 

Just  mail  or  fax  this  completed  coupon 
or  contact  APC  for  your  FREE  white 
paper.  "Avoiding  Costs  from 
Oversizing  Server  Room  and 
Network  Room  Infrastructure' 

Also  receive  our  FREE  InfraStruXure” 
brochure.  Better  yet,  order  both  today 
at  the  APC  Web  site! 

http://promo.apc.  com 


Key  Code 
m218y 


(888)  289-APCC  x2893  •  FAX:  (401)  788-2797 


Legendary  Reliability® 


□  YES!  Please  send  me  my  FREE  white  paper  and  InfraStruXure'  brochure. 

□  NO,  I'm  not  interested  at  this  time,  but  please  add  me  to  your  mailing  list. 


Name: 


Title: 


Company: 

Address: 

Address  2: 

City/Town: 

State: 

Zip: 

Country: 

Phone: 

Fax: 

E-mail: 

□  Yes!  Send  me  more  information  via  e-mail  and  sign  me  up  for  APC  PowerNews  e-mail  newsletter,  [key  Code  m218y| 
What  type  of  availability  solution  do  you  need? 

□  UPS:  0-1 6kVA  (Single-phase)  □  UPS:  1 0-80kVA  (3-phase  AC)  □  UPS:  80+  kVA  (3-phase  AC)  □  DC  Power 

□  Network  Enclosures  and  Racks  □  Precision  Air  Conditioning  □  Monitoring  and  Management 

□  Cables/Wires  □  Mobile  Protection  □  Surge  Protection  □  UPS  Upgrade  □  Don't  know 
Purchase  timeframe?  □  <  1  Month  D  1-3  Months  □  3-12  Months  □  1  Yr.  Plus  □  Don't  know 
You  are  (check  1):  □  Flome/Home  Office  D  Business  (<1000  employees)  □  Large  Corp.  (>1000  employees) 

□  Gov't,  Education,  Public  Org.  □  APC  Sellers  &  Partners 

©2003  APC.  All  trademarks  are  the  property  of  their  owners.  ISX1B3EB-USd  •  E-mail:  esupport@apcc.com  •  132  Fairgrounds  Road,  West  Kingston.  Rl  02892  USA 


As  racks  become  increasingly  popu¬ 
lated  with  thinner,  deeper  servers, 
high  power  densities  in  your  server 
room  or  data  center  can  create 
havoc,  from  early  equipment  failures 
to  expensive,  forget-about-your-job- 
security  downtime. 

Introducing  InfraStruXure™  architec¬ 
ture,  the  industry's  only  patent-pend¬ 
ing,  network-critical  physical  infra¬ 
structure.  InfraStruXure™  lets  you 
target  power  and  cooling  precisely 
where  your  mission-critical  applica¬ 
tions  live — the  rack  enclosure. 

And  because  InfraStruXure  architec¬ 
ture  uses  a  modular,  manageable,  pre¬ 
engineered  approach,  you  can  select 
standardized  components  to  create 
your  own  customized  solutions. 


Which  means  you  can  target  avail¬ 
ability,  pay  as  you  grow,  adapt  to 
change,  and  maximize  efficiency 
while  minimizing  installation,  operat¬ 
ing,  service,  and  maintenance  costs. 


In  times  like  these,  it  pays  to  think 
smart.  For  more  information  on 
InfraStruXure's  open,  adaptable, 
and  integrated  architecture  for  on- 
demand  network-critical  physical 
infrastructure,  visit  us  online  today 


at  www.apc.com. 


Tommunications 

SOLUTIONS 


wow Mm-i  BCSt 

New  Technology 

Awards . 


Winner  of  the  Windows  and  .Net  Magazine  "2002  Reader's 
Choice  Award  for  Best  High  Availability  Solution ",  the  GCN 
"Best  New  Technology  Award"  at  FOSE,  March  2002. 
I Awarded  to  PowerStruXure",  which  is  now  included  under 
the  InfraStruXure"  brand.)  Winner  of  the  Communications 
Solutions  Magazine's  "2002  Product  of  the  Year"  award. 


[hot  air] 


lnfraStru#\ure 
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Open,  adaptable  and  integrated 
architecture  for  on-demand 
network-critical  physical  infrastructure 


InfraStruXure's  advanced  cooling 
components  help  remove  heat  from 
your  servers  and  target  air  circulation 
where  it  is  most  needed. 


[power  routing] 


[cold  air] 


High  power  densities  can  create  hot 
spots,  which  cause  equipment  failures 
and  expensive  downtime. 


Air  components  designed  for 
InfraStruXure ™  are  manageable  via 
network  technology,  and  feature  a 
modern,  reliable  design  with  fewer 
moving  parts. 


InfraStruXure 


Every  product  carrying  this  mark  has 
been  tested  and  certified  for  use  with 
InfraStruXure  ”  architecture.  Before 
you  buy,  check  for  the  X  to  guarantee 
product  compatibility. 


InfraStruXure™  lets  you  build  out  capacity 
only  as  it's  required.  Save  up  to  50% 
CapEx  and  20%  OpEx*,  and  reclaim  an 
average  of  20%  usable  space. 
InfraStruXure  AIR  delivers  cooling 
directly  where  it  is  needed,  eliminating 
dangerous  hot  spots. 


Legendary  Reliability® 


"Our  Video  on  Demand  (VOD) 
servers  are  air  cooled  from  front 
to  back.  The  APC  racks  that 
house  the  InfraStruXure  are  also 
designed  to  cool  from  front  to 
back.  So  the  same  racks  can 
effectively  house  our  power 
system  and  our  servers." 

Vince  Pombo 
Vice  President  of  Engineering 
Rich  Flanders 
Director  of  Engineering 
Time  Warner  Cable 

"If  I  had  purchased  the  incum¬ 
bent  vendor's  3-phase  upgrade 
model,  I  would  have  paid  75% 
more  in  service  costs  over  the 
next  four  years  and  I  would 
have  had  to  utilize  50%  more  of 
my  precious  floor  space." 

Captain  Timothy  Riley 

Support  Services  Division 

City  of  Newport  Beach  Police  Department 

V _ _ _ 


Equipment  Racks 


Batteries 


UPSs 


Traditional  data  centers  are  built  out 
for  future  capacity  and  require  a 
large  amount  of  floor  space  that 
could  be  otherwise  utilized.  High 
power  density  racks  create  danger¬ 
ous  hot  spots. 


POWER  RACK  AIR 


BEFORE 


AFTER 


'  Representative  savings  based  on  projected  power  infrastructure  build-out  costs  and  estimated  service  cost  per  unit.  Actual  savings  may  vary. 
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For  those  of  you  who  need  a  little  help  convincing  your  C.E.O.  that 
BEA  is  the  right  choice  for  your  business,  please  use  this  handy  form. 


® 


<5  2003  BEA  Systems,  fnc.  BEA  and  WebLogic  are  registered  tmdornarHs  ol  BEA  Systems,  Inc.  All  other  company  names  are  trademarks  of  their  respective  owners. 


i 


Dear _ 

(YOUR  C.E.O.) 

I  recommend  that  we  use  the 
BEA  WebLogic®  Enterprise  Platform 
for  all  future  software  integration. 

While  you  may  not  have  heard  of 
BEA,  they  offer  the  only  platform 
that  is  both  strong  enough  to 
handle  our  mission-critical  projects 
and  is  easier  to  use.  I  acknowledge 
that  I  am  accountable  for  my 
actions,  and  am  fully  prepared  to 
take  the  fall  for  this  decision. 

But  when  this  works,  you  owe 
me  big. 


Sincerely, 


(YOU) 
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MARYFRAN  JOHNSON 


Dog  Days  of  Unix? 


The  fortunes  and  misfortunes  of 
Unix  have  always  fascinated  me,  and 
honestly,  I  consider  this  something  of 
a  personal  problem.  Like  voting  for 
Democrats  or  trying  to  house-train  a 
dachshund  (both  clearly  wasted  efforts). 


I  trace  my  Unix  afflic¬ 
tion  back  more  than  a 
decade  to  my  days  as  a 
Computers orld  reporter, 
when  I  was  covering  the 
piteous  struggles  of  the 
so-called  Unix  desktop 
wars.  My  side  lost  quite 
spectacularly  to  the  Mi¬ 
crosoft  monopoly.  It  was 
a  clear  defeat  for  open 
systems  and  a  decisive 
win  for  Windows,  the 
most  proprietary  operat¬ 
ing  system  on  earth. 

Fast  forward  to  today,  and  Unix  is 
once  again  under  siege,  routinely 
derided  as  “proprietary”  by,  of  all 
people,  the  Wintel  crowd.  But  the 
most  surprising  attack  is  coming 
from  a  boisterous  little  Unix  cousin 
with  the  same  digital  DNA  twisting 
around  its  code  and  a  cuddly  pen¬ 
guin  for  a  mascot.  Linux,  running  on 
Intel  boxes,  is  swarming  the  enter¬ 
prise  at  the  low  end,  bumping  off 
the  big-dog  Unix  variants  (Sun  So¬ 
laris,  HP-UX  and  IBM’s  AIX)  almost 
as  often  as  it  routs  Windows  NT. 

Linux  is  impressing  IT  with  its 
compelling  cost  savings  and  solid 
performance,  supported  by  a  rising 
chorus  of  rabid  fans  among  develop¬ 
ers  and  all  the  major  systems  and 
software  vendors. 

So,  is  Unix  really  doomed  this 
time?  Is  it  too  late  to  adopt  an 
adorable  mascot  —  a  dachshund, 
perhaps?  We  answered  that  question 
(not  the  mascot  part,  but  the  dooms¬ 
day  scenario)  on  our  front  page  last 
week  [QuickLink  a3360].  And  we 
confirmed  that  Unix  is  far  from  be¬ 
ing  the  guest  of  honor  at  any  fare¬ 
well  parties. 

Unix  remains  essential  to  the 


MARYFRAN  JOHNSON  is 

editor  in  chief  of  Comput- 
erworld.  You  can  contact 

her  at  maryfranjohnson@ 
computerworid.ccHR 


most  powerful  applica¬ 
tions  in  corporate  enter¬ 
prises,  says  our  survey  of 
291  IT  managers  and 
users.  When  asked  how 
reliant  their  companies 
are  on  Unix,  77%  of  our 
respondents  said  “ex¬ 
tremely”  or  “very”  re¬ 
liant.  More  than  half 
(56%)  said  Unix  would 
indefinitely  own  the  high 
end,  while  another  24% 
saw  its  importance  de¬ 
clining  but  not  disappearing. 

In  another  two  dozen  interviews, 
corporate  users  told  us  that  while 
they  love  the  economics  of  Linux  on 
Intel  at  the  low  end,  they’re  acutely 
aware  that  it’s  still  years  away  from 
the  power,  scalability,  stability  and 
support  their  data  centers  require. 
The  moving-target  nature  of  Linux 
distributions  —  that  rapid  evolution 
of  the  code  base  that  open-source 
devotees  brag  about  —  is  hardly  a 


selling  point  for  high-end  business 
applications  today. 

And  real  money  is  still  being 
spent  on  Unix.  Last  year,  businesses 
and  governments  worldwide  spent 
nearly  $21  billion  on  Unix  servers 
and  $13.9  billion  on  Windows,  but 
only  $2.8  billion  on  Linux,  reports 
IDC.  Over  the  next  five  years,  how¬ 
ever,  IDC  analysts  expect  Unix  to 
crawl  along,  growing  less  than  3%, 
whereas  Linux  will  be  racing  its  en¬ 
gines,  growing  more  than  200%  to 
an  eventual  $8.8  billion  market. 

Listening  to  the  Linux  vendors,  I 
have  to  admire  their  marketing  spin 
as  they  denigrate  Unix  for  its  multi¬ 
ple  versions  (which  they  have  in 
abundance)  and  make  giddy  predic¬ 
tions  about  “Linux  everywhere”  (a 
phrase  borrowed  from  Bill  Gates’ 
playbook?). 

In  reality,  the  foreseeable  future  is 
a  three-way  race  between  Unix,  Lin¬ 
ux  and  Windows  —  with  Linux 
more  likely  to  outrun  Windows  at 
the  high  end  than  Unix.  But  regard¬ 
less  of  how  this  race  plays  out,  it  has 
only  benefits  for  IT  managers.  Ro¬ 
bust  competition  ultimately  drives 
prices  down  and  choices  up.  Oh,  and 
if  anybody  wants  to  try  outmarket- 
ing  that  beguiling  penguin,  I’ve  got  a 
very  winsome  dachshund  I’d  like  to 
get  out  of  the  house  more  often.  I 
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PIMM  FOX 

Microsoft, 
Lead  the 
Spam  War! 


MIX  INDEPENDENT, 
trusted  authorities 
with  best  practices, 
authorize  them  to  mediate 
disputes,  add  in  a  negligible 
dose  of  government  interfer¬ 
ence,  and  what  do  you  have? 

The  technology  industry’s  get-tough 
policy  on  a  pernicious  problem:  spam. 

Back  in  May,  the  Senate  Committee 
on  Commerce,  Science  and  Trans¬ 
portation  held  hearings  on  spam.  In 
written  testimony,  Microsoft  Chairman 
Bill  Gates  didn’t  say  much  about  im¬ 
proving  government 
regulations,  tighten¬ 
ing  existing  laws  or 
beefing  up  enforce¬ 
ment  talent  at  the 
Federal  Trade  Com¬ 
mission.  Nor  did  he 
explicitly  support 
Virginia  legislation 
(signed  in  April)  that 
has  made  it  a  felony 
to  send  unsolicited 
bulk  e-mail  contain¬ 
ing  falsified  routing 
information.  Vir¬ 
ginia’s  law  goes  further  than  the  anti¬ 
spam  statutes  in  25  other  states  by  per¬ 
mitting  felony  prosecutions  and 
seizure  of  assets. 

Instead,  Gates  —  who  says  he  hates 
spam  —  offered  up  a  dose  of  research 
and  marketing.  Sure,  the  announce¬ 
ment  of  a  20-person  Microsoft  team  to 
work  on  spam  is  good  news,  but  it  falls 
far  short  of  what’s  needed.  (Note  that 
the  company’s  security  team  didn’t  get 
very  far  in  a  year.) 

The  only  way  to  grab  hold  of  this 
marketing  gone  berserk  is  to  also  hold 
Internet  service  providers  financially 
liable  —  and  make  the  penalties  for 
spammers  onerous  enough  to  thwart 
their  business  plans.  Think  millions! 

Telephone  companies  (prodded  by 
the  1991  Telephone  Consumer  Protec¬ 
tion  Act)  have  blocking  technology  to 
combat  telemarketers.  Surely,  Micro¬ 
soft  and  IBM  aren’t  technology  lag¬ 
gards.  Gates  should  lead  the  technolo¬ 
gy  charge  to  remove  from  Outlook  and 
Exchange  advertisements  for  bigger 
penises,  get-rich-quick  schemes  and 
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Efficient,  economical  and  reliable.  These  qualities 
give  upstart  air  carrier  JetBlue'  its  distinct  compet¬ 
itive  advantage  in  the  turbulent  airline  industry. 
Amidst  competitors  known;  for  late  planes,  dimin¬ 
ished  service  and  inflated  costs,  jel  >  ue’s  planes  fly 
on-time,  with,  top-flight  service,,  and  at  bargain 
basement  passenger  fares.  To  maintain  this  edge, 
the  company  builds  its  business  systems  upon  an 
equally  qualified  IT  architecture. 


program, TrueBlue,  are  housed  on  a  range  of  4-,  8 
and  16-way  Intel®  Itanium®  2-based  Unisys 
ES  000  sei  /ers  on  Microsoft  Windows*.  And 
JetBlue's  online  reservation  system,  which  delivers 
72  percent  of  JetBlue’s  revenue,  is  about  to  be 
moved,  onto  Intel’s  new,  enhanced  platform,  the 
Intel®  Itanium®  2  processor  6M  L3.  Additionally 
the  airline  runs  its  internal  operations  on  roughly 
250  Intel®  Xeon™  processor-based  HP  servers. 


Since  its  start-up  in  2000,  JetBlue  has  standardized 
on  a  single  computing  architecture — Intel.  The  air¬ 
line's  massive  data  warehouse  and  freq  ent  flier 


As  a  result  of  this  consolidation  onto  a  single  pow¬ 
erful  platform,  JetBlue  hasn't  just  boosted  comput¬ 
ing  power  it's  saved  an  estimated  60  percent  in 
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ageable  IT  infrastructure  for  the  future.  With  the  Intel  Xeon 
processor  MP  and  Itanium  2-based  platforms,  Intel  and  its 
customers  gain  the  ability  to  scale  out  and  up — functionali¬ 
ty  that  delivers  the  business  benefits  detailed  above. 

To  provide  customers  with  the  computing  platforms  neces¬ 
sary  to  achieve  these  business  benefits,  Intel  poured  over 
$9.5  billion  into  R&D  and  manufacturing  innovation  in  fiscal 
year  2002.  Much  of  this  investment  went  to  enrich  the  Intel 
Xeon  processor  family  and  fuel  the  emergence  of  comple¬ 
mentary  Intel  Itanium  2  processors  (see  boxes,  p.  3  and  p.  4). 

THE  ROI  OF  ARCHITECTURE  INVESTMENT 

Intel's  R&D  investment  might  seem  counterintuitive  to  cost- 
conscious  IT  leaders,  but  industry  analysts  say  forward- 
thinking  companies  are  on  the  right  track  to  reap  business 
value  from  continued  investment  in  server  infrastructure. 
"Companies  under-invest  in  technology  at  their  peril — even 
in  lean  times,"  reports  worldwide  management  consultancy 
McKinsey  &  Co. "New  technology,  deployed  intelligently,  can 
help  organizations  make  dramatic  leaps  in  productivity  and 
redefine  competition  within  [entire]  sectors."  1 

Enterprise  architecture  expenditures  are  an  especially 
smart  investment  in  future  business  benefits,  says  Jeffrey 
Hewitt,  principal  analyst  with  Gartner  Inc. 


INTEL®  ITANIUM®  2  PROCESSOR 

Ideal  for  High-Performance  Applications 


"As  worldwide  economies  begin  to  show  recovery  server 
infrastructure  improvements  will  come  back  into  the  picture 
because  companies  seek  to  stay  competitive  and  upgrade 
aging  hardware  platforms,"  Hewitt  says.  The  server  market 
segment's  return  to  growth  will  be  fueled  primarily  by  Intel 
on  the  processor  front  and  by  Windows*  and  Linux*  from 
an  OS  perspective,  he  adds. 


Designed  for  the  most  demanding,  data-intensive 
enterprise  and  technical  applications.  Ideal  for  these 
critical  applications:  large  databases,  enterprise 
resource  planning  (ERR),  supply  chain  management 
(SCM),  business  intelligence  and  high-performance 
computing. 

»  64-bit,  with  support  for  32-bit 
»  For  databases  >4- 1 6  gigabytes  of  memory 
»  Key  databases,  tools,  and  enterprise  applications 


These  market  trends  and  independent  analysis  point  to  a 
common  conclusion:  IT  leaders  must  meet  today's  com¬ 
mon  business  challenges — and  tomorrow's — by  investing 
in  flexible,  scalable,  interoperable  technology  solutions. The 
unpleasant  alternative  is  to  risk  falling  behind  in  the  race  to 
generate  new  business  value  and  drive  innovation. 


are  available  now,  with  others  ramping  dramatically 


throughout  2003 

»  Choice  of  operating  systems,  including  Windows 


Server  2003,  HP-UX  and  Linux.  Optimized 
applications  suitable  for  manufacturing,  scientific, 


POWERFUL  PLATFORMS  = 
PEAK  PERFORMANCE 


energy  and  financial  services  solutions 
For  more  information  on  Intel®  Itanium®  2 
processor-based  servers,  visit  www.intel.com/ad/servers 


It  isn’t  Just  about  the  infrastructure,  Intel 


Xeon  processor  MP  and  Itanium  2  processor  computing 
engines  fuel  more  than  a  stronger;  increasingly  versatile  IT 
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foundation. They  also  enable  companies  to  gain  new  busi¬ 
ness  process  efficiencies,  streamlining  business  functions 
and  enhancing  employee  productivity. 

Business  leaders  realize  that  an  advanced  IT  infrastructure 
can  help  extend  their  competitive  advantages  in  key  areas 
and,  when  coupled  with  improved  processes  and  capabili¬ 
ties,  drive  innovation  and  new  opportunities. 

"As  anyone  on  the  Web  knows,  continuous  enhancement  is 
critical  to  attracting  visitors  and  staying  competitive,"  says 
Brian  Farrey,  president  of  TMP  Technologies,  a  division  of 
Monster  Worldwide,  which  manages  technology  resources 
for  its  parent  company  (host  of  Monstercom).  "The  [Intel 
architecture]  gives  us  more  options  and  much  faster  devel¬ 
opment  times  when  enhancing  our  site.” 

Among  the  principal  business  benefits  enabled  by  Intel’s 


evolving  platforms: 

Improved  Online  Transaction  Processing  and 

CRM:  Intel  Xeon  processor  MP-based  platforms  are  ideal 
for  mid-tier  business  critical  applications,  helping  companies 
in  all  industries  streamline  business  processes.  Among  the 
business  results  enabled  by  Intel  Xeon  processor  MP- 
based  platforms:  improved  customer  relationship  manage¬ 
ment,  collaboration  and  business  intelligence. 

Maximized  Databases,  ERP,  SCM  and  High- 
Performance  Computing:  The  Intel  Itanium  2 
processor  is  uniquely  designed  for  the  most  demanding, 
data-intensive  enterprise  applications.  These  high  perform¬ 
ing  computing  engines  enable  businesses  to  deploy  their 
highest-end  enterprise  applications  (e.g.  large  databases 
and  business  intelligence)  on  cost-effective  Intel-based 
servers,  instead  of  those  based  on  RISC  architectures. 


Intel  in  Action: 

Powering  the 
Enterprise  at 
N  SDAQf 

Like  many  enterprises  in  financial  servic¬ 
es,  NASDAQ  has  banked  heavily  on — 
and  is  continuing  to  evolve  with- — plat¬ 
forms  based  on  Intel®  processors  to 
keep  pace  with  soaring  transaction  vol¬ 
umes  driven  largely  by  increased 
demand1  for  instant  information. 

The  company  has  also  recognized  the 
need  to  simplify  and  consolidate  its 
hardware  architt  ire  to  streamline 
development,  deployment  and  support, 
having  once  had  over  a  dozen  hardware 
architectures  in  house, 

Its  efforts  of  late  have  been  to  harness 
Intel®  Xeon™  processor  MP-based 
systems  t  run  the  database  engine  or 


three  emerging  market  data  applica¬ 
tions,  as  well  as  mission-critical  applica¬ 
tions  launched  and  repeatedly 
enhanced  over  time, 

"Intel  Xeon  processor  MP  and  the 
future  delivery  of  Intel®  Itanium® 
processor  family-based  systems  hold  the 
key  to  NASDAQ’s  long-term  business 
direction,”  says  Richard  Lind,  SVP,  techni¬ 
cal  operations  for  the  firm. “They’ve  laid 
out  a  very  well-defined  roadmap  for 
driving  down  the  cost  of  their  proces¬ 
sor  technology  while  increasing  the 
functionality  it  provides." 

As  a  result,  NASDAQ  will  migrate  to 
the  Intel  Itanium  processor  family  to 
power  the  core  of  SuperMontage  ,  a 
"matching"  engine  that  continually  builds 
an  internal  representation  of  all  buy  and 
sell  interests  in  a  marketplace,  and 
matches  quotes  ad  orders  to  oduce 
instant  execution  functionality, 


The  data  is  fed  Into  the  three  market 
data  applications — Depth  View*, 
PowerView*  and  TotalView* — that  are 
powered  by  Intel  Xeon  processors  MP 
and  were  taken  live  late  last  year. 
NASDAQ  uses  Intel  Xeon  processor 
MP-based  Dell  6650*  servers  running, 
Windows  2000  for  the  application  suite, 
and  has  supercharged  the  database 
power  of  a  custom  application. 
Surveillance  Delivery  Real-time  (SDR), 
which  analyzes  market  transactions  and 
sends  alerts  to  analysts  for  review.  SDR 
handles  2,800  trades  and  1,400  quotes 
per  second, 

“We  re  very  impressed  with  the  per¬ 
formance  and  future  of  the  advanced 
Intel  platf  ms  and  see  them  as  the 
foundation  for  our  future  computing 
strategy,”  says  Lind. 

Foi  more  -ma:  on  about  NASDAQ, 
visit  www.nasdaq.com 


Intel  Alliance  Profile:  Microsoft 

Featuring  SQL  Server*  2000  Enterprise 
Edition-}- 

With  the  growing  complexity  and  competitive  nature  of 
business  computing  today,  companies  require  their  applica¬ 
tions  and  databases  to  process  and  analyze  massive  amounts 
of  data  in  a  fast  and  efficient  manner.  Microsoft  SQL  Server1' 
2000  Enterprise  Edition  is  available  in  both  32-bit  (for  Intel 
Xeon  processor  MP)  and  now  64-bit  (for  Itanium  2-based 
platforms)  versions,  both  of  which  are  designed  to  help 
firms  scale  as  their  global  users  continue  to  grow. 

SQL  Server  2000  Enterprise  Edition  64-bit  on  Itanium  2- 
based  platforms  opens  a  new  chapter  in  high-end  data¬ 
base  computing  at  lower  costs  than  Unix-based  systems 
available  today;  Microsoft’s  commitment  to  Itanium  archi¬ 
tecture  expands  the  scalability  options  for  memory¬ 
intensive  data  applications  such  as  large-scale  e-com¬ 
merce,  data  warehousing  and  analytics. 

Best  Performance  and  Price/Performance3:  SQL  Server 
2000  64-bit  delivers  the  fastest  performance  in  non-clus- 
tered  computing  at  707, 1 02  transactions  per  minute  on 
the  Itanium  2-based  platform.  It  also  delivers  the  best 
performance  and  price/performance  for  business-critical 
solutions  on  a  4-way  Itanium  2-based  server.  Harnessing 
Itanium  2-based  servers  that  support  up  to  5 1 2  giga¬ 
bytes  of  RAM,  SQL  Server  2000  Enterprise  Edition  takes 
advantage  of  the  advanced  memory  addressing  capability 
to  support  rapid  growth  in  mission-critical  applications. 

Easy  Migration  and  Fast  Deployment:  Customer  databas¬ 
es  can  be  easily  migrated  from  32-bit  to  64-bit,  maintain¬ 
ing  100  percent  T-SQL  compatibility.  No  changes  are 
required  in  client  applications,  which  makes  the  job  of 
d  -abase  administrators  and  developers  easier  when 
deploying  a  64-bit  database  into  their  server  farm, 

Arid  with  the  ability  to  install  up  to  1 6  database  engine 
instances  on  a  single  server,  Microsoft  offers  the  best 
economics  of  managing  multiple  types  of  high-end  appli¬ 
cations.  With  this  package,  companies  realize  these  bene¬ 
fits  while  continuing  to  enjoy  the  familiar  database  envi¬ 
ronment,  data  access  and  formats  to  which  they  have 
grown  accustomed.  For  additional  information  on 
Microsoft,  visit:www.microsoft.com/sql 


ADVERTISING  SUPPLEMENT 

services,  manufacturing,  retail,  government  and  commu¬ 
nications.  This  is  done  to  ensure  that  Intel's  technology  is 
put  to  work  delivering  strong  ROI,  lower  TCO,  and 
meeting  specialized  industry  needs. 

McKinsey  &  Co.  recently  singled  out  Intel  for  its  success 
in  delivering  solid  business  results.  "Intel  has  concentrat¬ 
ed  on  new,  higher-value  goods,  thereby  generating 
extraordinary  productivity  advances  as  microprocessors 
and  memory  chips  become  exponentially  more  power¬ 
ful  though  not  exponentially  more  expensive."  3 

And,  as  shown  in  customer  case  studies  such  as  JetBlue, 
Intel’s  powerful  products,  solutions  and  expertise  are 
driving  dramatic  new  business  solutions — and  value — 
across  several  key  industries. 

By  taking  JetBlue’s  lead — by  making  smart  investments  in 
enterprise  architecture — well-established  industry  leaders 
find  that  they,  too,  can  deploy  critical  business  applications 
that  can  be  described  just  like  the  upstart  start-up's. 

Efficient,  economical  and  reliable. 


For  more  information  on  Intel®  Xeon™  processor  MP  and 
Intel®  Itanium®  2  processor-based  servers  and  educational 
opportunities,  visit  www.intel.com/ad/servers. 

Performance  tests  and  ratings  are  measured  using  specific  computer  systems  and/or  compo¬ 
nents  and  reflect  the  approximate  performance  of  Intel  products  as  measured  by  those  tests. 
Any  difference  in  system  hardware  or  software  design  or  configuration  may  affect  actual  per¬ 
formance.  Buyers  should  consult  other  sources  of  information  to  evaluate  the  performance  of 
systems  or  components  they  are  considering  purchasing.  For  more  information  on  perform¬ 
ance  tests  and  on  the  performance  of  Intel  products,  visit  http://www.intel.com/performance 
/resources/limits.htm. 

The  Intel  Xeon  processor  MP  and  the  Intel  Itanium  2  processor  may  contain  design  defects  or  errors 
known  as  errata,  which  may  cause  the  products  to  deviate  from  published  specifications.  Such  erra¬ 
ta  are  not  covered  by  Intel's  warranty  Current  characterized  errata  are  available  on  request 

Information  in  this  document  is  provided  in  connection  with  Intel®  products.  No  license, 
express  or  implied,  by  estoppel  or  otherwise,  to  any  intellectual  property  rights  is  granted  by 
this  document.  Except  as  provided  in  Intel's  Terms  and  Conditions  of  Sale  for  such  products. 
Intel  assumes  no  liability  whatsoever,  AND  INTEL  DISCLAIMS  ANY  EXPRESS  OR  IMPLIED 
WARRANTY,  RELATING  TO  SALE  AND/OR  USE  OF  INTEL®  PRODUCTS  INCLUDING 
LIABILITY  OR  WARRANTIES  RELATING  TO  FITNESS  FOR  A  PARTICULAR  PURPOSE, 
MERCHANTABILITY.  OR  INFRINGEMENT  OF  ANY  PATENT.  COPYRIGHT  OR  OTHER 
INTELLECTUAL  PROPERTY  RIGHT.  Intel  products  are  not  intended  for  use  in  medical,  life 
saving,  or  life  sustaining  applications.  Intel  may  make  changes  to  specifications  and  product 
descriptions  at  any  time,  without  notice. 

Copyright  ©  2003  Intel  Corporation.  All  rights  reserved.  Intel,  the  Intel  logo,  Intel  Xeon, 
Itanium  and  Pentium  are  trademarks  or  registered  trademarks  of  Intel  Corporation  or  its  sub¬ 
sidiaries  in  the  United  States  and  other  countries. 

*Other  names  and  brands  may  be  claimed  as  the  property  of  others. 

12  The  McKinsey  Quarterly  Newsletter,  May  6. 2003. 

3  Source:  http://www.tpc.org/  As  of  May  20,  2003:  HP  Superdome*.  707,102  tpmC. 
$9. 1 30/tpmC,  with  64  Intel  Itanium  2  processors  at  1 .5  GHz.  each  with  6MB  iL3  cache,  run¬ 
ning  Microsoft  Windows*  Server  2003,  Datacenter  Edition  and  Microsoft  SQL  Server*  2000 
Enterprise  Edition  64-brt.  with  256  GB  RAM;  available  10-23-2003 

f  Results  and  information  are  reported  by  end-user  or  vendor  and  not  verified  by  Intel.  Results 
may  not  be  representative  and  may  vary.  Buyers  should  consult  other  sources  of  information 
to  evaluate  the  performance  of  systems  or  components  they  are  considering  purchasing. 
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cheap  credit  cards.  Many  e-mail  pro¬ 
grams  can  filter  junk.  Shouldn’t  ISPs 
also  have  the  technology  to  block  spam 
from  ever  reaching  their  outgoing 
servers? 

So  what’s  behind  the  foot-dragging 
by  Gates  and  Microsoft?  Well,  any 
punitive  action  or  technology  require¬ 
ment  targeting  ISPs  would  certainly 
affect  Microsoft’s  Hotmail,  MSN  and 
bCentral  online  services.  Also,  Micro¬ 
soft  doesn’t  like  being  told  what  to 
do  —  especially  by  the  government. 
The  company’s  responses  to  spam 
have  included  stumping  for  best  prac¬ 
tices,  mediating  customer  disputes  and 
waiting  until  independent  trusted  au¬ 
thorities  can  certify  legitimate  e-mail 
solicitations.  But  where’s  the  clout? 
Without  the  threat  of  financial  pain, 
what’s  to  prevent  spammers  from  mov¬ 
ing  to  another  domain,  enlisting  better 
technology  or  ignoring  these  non¬ 
governmental  lobbies  altogether? 

There’s  lots  of  money  behind  the 
notion  of  certifying  good  online  mar¬ 
keters  and  weeding  out  the  baddies.  By 
■[  being  able  to  slice  and  dice  the  online 
audience,  Microsoft  will  be  able  to 
fence-sit  this  issue:  It  can  create  anti¬ 
spam  teams  (and  publicity)  while  si¬ 
multaneously  reaping  the  rewards 
from  “good”  online  marketers. 

But  there’s  one  major  problem  with 
attempting  to  label  good  online  mar- 
jketers  with  a  seal  of  approval:  Who,  I 
!  wonder,  would  wield  that  rubber 
stamp?  I 

DAVID  MOSCHELLA 

Consolidation 
Claims  Lead 
ToFUD 

N  MY  COLUMN  last 
month  [QuickLink  38788], 

I  argued  that  a  simple  trip 
to  the  dictionary  should  be 
enough  to  remind  us  that  IT 
isn’t  a  mature  industry,  no 

I  matter  how  fashionable  it  has 
become  to  claim  otherwise.  Similarly, 
much  of  the  rationale  for  Oracle’s  on¬ 
going  efforts  to  acquire  PeopleSoft  has 
been  based  on  an  equally  dubious 
daim:  that  the  IT  industry  is  consoli- 
ii  feting. 

m  I  have  been  researching,  analyzing 
|pid  forecasting  the  IT  marketplace  for 
Most  of  the  past  25  years,  and  for  the 


great  majority  of  this  time, 
people  have  been  either 
predicting  the  imminent 
consolidation  of  the  IT  sup¬ 
plier  base  or  claiming  that 
it’s  already  under  way.  Yet 
somehow  during  this  time, 
the  number  of  significant 
companies  in  the  IT  indus¬ 
try  has  continued  to  grow 
rapidly,  from  perhaps  a  hun¬ 
dred  in  the  late  1970s  to  lit¬ 
erally  thousands  today. 

The  consolidationists 
have  got  both  their  numbers 
and  their  analogies  wrong. 

Most  readers  have  probably  heard,  for 
example,  that  there  were  once  more 
than  a  hundred  automakers,  whereas 
today  there  are  roughly  a  dozen.  But 
too  often,  no  one  mentions  that  while 
the  number  of  car  manufacturers  has 
fallen,  the  number  of  companies  that 
are  part  of  the  global  automobile  in¬ 
dustry  has  soared  into  the  hundreds  of 
thousands.  The  same  pattern  is  prov¬ 
ing  true  for  the  IT  business. 

Our  exaggerated  sense  of  IT  indus¬ 
try  consolidation  stems  from  relatively 
narrow  and  short-term  thinking.  Clear¬ 
ly,  many  IT  markets  have  followed  a 
pattern  that  eventually  results  in  fewer, 


more  dominant  suppliers. 
A  handful  of  start-ups 
might  launch  a  new  sector, 
but  as  the  market  expands, 
it  creates  both  the  revenue 
opportunities  and  special¬ 
ized  customer  needs  that 
attract  new  entrants.  How¬ 
ever,  just  as  trees  don’t 
grow  to  the  moon,  this  ex¬ 
pansion  inevitably  slows, 
and  the  number  of  partici¬ 
pating  companies  shrinks. 
We  have  seen  this  pattern 
with  mainframes,  mini¬ 
computers,  PCs,  storage 
devices  and  many  software  and  net¬ 
working  products. 

But  this  consolidation  within  exist¬ 
ing  segments  has  always  been  more 
than  offset  by  the  creation  of  new  mar¬ 
kets  and  the  ever-expanding  services 
that  support  them.  Whether  one  is 
looking  at  hardware,  software  or  net¬ 
working,  the  result  has  been  an  in¬ 
creasingly  fragmented  IT  industry.  As 
silly  as  it  seems  today,  many  informed 
people  were  once  deeply  worried 
about  how  IBM,  AT&T  and  “Japan 
Inc.”  would  eventually  dominate  an 
overly  consolidated  IT  business. 

All  of  this  is  being  repeated  with 


Oracle/PeopleSoft.  Larry  Ellison  is 
certainly  right  that  some  consolidation 
in  today’s  bloated  enterprise  software 
business  is  likely,  and  even  desirable 
and  that  large  mergers  and  acquisi¬ 
tions  will  inevitably  be  part  of  this 
process.  Just  look  at  the  consolidation 
within  the  database  market  over  the 
past  10  years.  But  as  in  the  past,  the  as¬ 
sertion  that  the  overall  software  busi¬ 
ness  will  also  consolidate  into  a  few 
big  players  will  be  proved  wrong.  Fu¬ 
ture  innovation  and  specialization  will 
assure  that  this  won’t  happen. 

Misleading  claims  of  maturity  and 
consolidation  matter  much  more  than 
might  be  initially  apparent.  To  the  ex¬ 
tent  that  customers  adopt  these  inaccu¬ 
rate  views,  they  will  develop  an  unnec¬ 
essary  bias  toward  not  just  Oracle,  but 
all  of  the  software  industry’s  largest 
players.  Thus,  Ellison  and  others  have  a 
strong  incentive  to  promote  what  is  ul¬ 
timately  a  self-serving  idea.  But  it’s 
mostly  just  a  semi-sophisticated  form 
of  fear,  uncertainty  and  doubt  and 
should  be  viewed  and  treated  as  such.  > 


WANT  OUR  OPINION? 

OMore  columnists  and  links  to  archives  of  previous 
columns  are  on  our  Web  site: 

www.computerworld.com/columns 
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Security  Risk  Is  a  Phantom  Menace 


IT’S  SAD  to  see  IT  and  security 
managers  struggling  to  measure 
and  manage  security  risk  [“IT  Man¬ 
agers  See  Need  for  Risk  Metrics,” 
QuickLink  38973],  I  have  conduct¬ 
ed  research  for  35  years,  interview¬ 
ing  more  than  200  computer  crimi¬ 
nals,  and  I  concluded  long  ago  that 
as  long  as  security  remains  imper¬ 
fect,  security  risks  (expected  fre¬ 
quencies  of  adversities,  not  to  be 
confused  with  business  risks) 
aren’t  measurable  in  most  cases 
because  they're  created  by  and 
under  the  control  of  our  unknown 
enemies. 

As  noted  in  the  article,  there  are 
insufficient  loss  statistics  applica¬ 
ble  to  specific  organizations  on 
which  to  base  valid  risk  assess¬ 
ments.  Therefore,  security  risk  can’t 
be  measured,  controlled  or  man¬ 
aged.  As  Carl  Cammarata  rightly 
said  in  the  article,  “You  can’t  man¬ 
age  what  you  can’t  measure." 

The  old,  negative  risk-reduction 
objective  should  be  replaced  with  a 
positive  one  of  achieving  due  dili¬ 
gence  and  good  practices.  It’s  more 


important  to  meet  increasing  regu¬ 
latory  and  legal  requirements  and 
comply  with  standards. 

We  should  use  the  good  safe¬ 
guard  products  and  services  pro¬ 
vided  by  the  multibillion-dollar  se¬ 
curity  industry  and  benchmark  rela¬ 
tive  to  our  common  body  of  knowl¬ 
edge  and  the  practices  of  well- 
secured,  similar  organizations. 

By  using  these  practical  due  dili¬ 
gence  methods,  we  avoid  negli¬ 
gence  and  more  likely  serendipi- 
tously  reduce  both  the  known  and 
unknown  risks  created  by  our  un¬ 
known  enemies. 

Dorm  B.  Parker,  CISSP 

Los  Altos,  Calif. 


THE  PROBLEM  with  reengineer¬ 
ing  can  be  found  in  the  word  it¬ 
self  [“Reengineering  Revisited,” 
QuickLink  38981],  The  “re”  implies 
that  companies  have  been  engi¬ 
neered  in  the  first  place.  I  love  busi¬ 
ness,  and  I  think  business-process 
engineering  is  a  wonderful  idea,  but 


Makes  Sense 

Robert  L.  SCHEIER’S  “Surviv¬ 
ing  Software  Upgrades” 
[QuickLink  38227]  was  an  excel¬ 
lent  common-sense  article.  Articles 
such  as  these  will  help  the  IT  spe¬ 
cialist  to  work  more  effectively  with 
business  owners  and  upper-level 
management. 

Kris  Molitor 

Consultant,  Rockford,  III. 


Finding  Time  for  IDS 

CONTRARY  to  Gartner's  posi¬ 
tion,  I  find  intrusion-detection 
systems  to  be  very  valuable  [“IDS 
Criticisms  Kindle  Debate,"  Quick¬ 
Link  39336],  assuming  you  have 


as  an  engineer.  I  find  the  term  re- 
engineering  insulting.  Why  don’t 
we  just  call  it  business  engineer¬ 
ing?  If  something  falls  off  of  a  wag¬ 
on,  we  can’t  refer  to  it  as  “engi¬ 
neered."  It  simply  exists. 

Kirk  J.  Gould 

Phoenix,  gouldkj@juno.com 


someone  who  understands  IDS 
and  the  network  and  who  can  ana¬ 
lyze  the  captures.  At  my  company, 
we  have  hundreds  of  examples  of 
hack  attempts  and  network  prob¬ 
lems  that  were  resolved  thanks  to 
our  IDS.  This  makes  it  worth  it  for 
us.  Firewall  traffic  analysis  isn’t  suf¬ 
ficient;  Gartner’s  own  statistics 
show  that  most  hack  attempts  are 
by  internal  users.  Organizations 
that  can’t  dedicate  time  to  operate 
an  IDS  shouldn’t  buy  one. 

Corey  Whelpley,  CISSP 
Santa  Ana,  Calif, 
corey_adam@hotmail.com 

COMPUTERWORLD  welcomes 
comments  from  its  readers.  Letters 
will  be  edited  for  brevity  and  clarity. 
They  should  be  addressed  to  Jamie 
Eckle,  letters  editor,  Computerworld, 
PO  Box  9171, 500  Old  Connecticut 
Path,  Framingham,  Mass.  01701. 

Fax;  (508)  879-4843. 

E-mail:  letters@computerworld.com. 
include  an  address  and  phone  num¬ 
ber  for  immediate  verification. 

OFor  more  letters  on  these  and 
other  topics,  go  to 

www.computerworld.com/letters 


Engineering  the  Corporation 


iVID  MOSCHELLA ! 

;t  book  is  Customer- 
1 riven  IT:  How  Users 
Are  Shaping  Technolo¬ 
gy  Industry  Growth. 
Contact  him  at 
dmoscheila@earthlink.net. 
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>  9:32  am.  Martha  Watson  counts  over  1,200  name  brands  in  order  to  justify  the  word  "more"  to  the  legal  department. 
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Know  Thy  Users 

With  the  proper  identity  management  system, 
you  can  save  money,  make  users  happy  and 
improve  your  IT  security.  Here  are  strategies 
for  making  the  right  choices  from  users  like 
Ann  Garrett  (left),  chief  information  security 
officer  for  the  state  of  North  Carolina.  Page  30 
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Strengthen  Security  During  Mergers 

With  merger  and  acquisition  activity  on  the 
rise,  users  like  Bobby  Gillham  (left),  manager 
of  global  security  at  ConocoPhillips,  offer 
advice  on  how  to  protect  your  company’s 
assets  and  bolster  security  at  the  combined 
business.  Page  36 


EDITOR’S  NOTE 


Risk  is  everywhere.  Just  stepping  out 
your  front  door  in  the  morning  in¬ 
volves  some  risk.  So  does  staying 
inside  with  the  furniture. 

As  author  Bill  Bryson  points  out,  govern¬ 
ment  figures  show  that  more  than  400,000 
people  in  the  U.S.  are  injured  by  chairs, 
sofas  and  sofa  beds  in  the  course  of  a  year. 
How  do  they  do  it?  Mind  you,  we’re  talking 
about  injuries  that  require  a  trip  to  the 
emergency  room.  That’s  about  10  times 
more  than  the  number  of  people  injured  by 
skateboards,  trampolines  or  scissors! 

Of  course,  it’s  no  surprise  to  you  that 
risk  comes  in  many  forms.  In  the  field  of 
IT  security,  the  threats  include  disgruntled 
employees,  fired  employees,  clueless  em¬ 
ployees  who  succumb  to  social  engineer¬ 
ing,  passwords  left  on  Post-it  notes,  wide- 
open  instant  messaging  and  increasingly 
powerful  hacker  tools  in  the  hands  of 
teenagers. 

This  special  report  has  dozens  of  tips  to 
help  you  manage  those  risks.  But  before 
you  implement  any  of  them  or  buy  another 
security  product,  do  one  thing:  Stop  to 
identify  the  three  biggest  security  risks 
your  company  faces  —  whatever  would 
bring  your  company  to  its  knees.  They  will 
vary,  depending  on  your  industry  and  busi¬ 
ness  model.  Is  it  theft  of  credit  card  num¬ 
bers?  Embezzlement?  Privacy  violations? 

Be  sure  to  address  those  high-risk  areas 
first,  before  looking  at  more  exotic  prob¬ 
lems.  Take  care  of  the  basics:  passwords, 
patches,  employee  training,  antivirus  soft¬ 
ware  and  access  controls.  If  you  can’t  keep 
up,  consider  outsourcing. 

And  don’t  stub  your  toe  on  the  furniture.  ► 


Mitch  Betts  is  Features  editor  at  Computer- 
world.  He  can  be  contacted  at  mitch_betts@ 
computerworld.com. 
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On  one  network.  Together,  from  one  company. 
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MCI. 


MCI  makes  global  access  easy.  Plug  in  to  our  wide  range  of  services,  from  simple  dial-up 
to  broadband,  with  the  fastest  speeds  available  over  IP  today.  And  stay  connected  with 
coverage  in  more  than  140  countries  around  the  globe.  Since  MCl’s  network  is  continually 
expanding,  so  are  your  access  possibilities.  To  get  your  MCI  Access  now,  call 
1  888  886  3844  or  go  to  www.mci.com/go/proof 
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Fred  cohen  already  knew 
about  worms,  Trojan  horses 
and  hackers  in  November 
1983.  But  as  a  graduate  student 
participating  in  a  weekly  semi¬ 
nar  on  computer  security,  Cohen  was 
interested  in  a  new  class  of  security 
threats:  a  program  that  reproduced  it¬ 
self  by  attaching  to  other  programs.  It 
took  eight  hours  for  Cohen  to  create 
his  virus  and  nearly  a  week  to  get  per¬ 
mission  to  test  it  on  a  large  Unix  com¬ 
puter  at  the  University  of  Southern 
California. 

And  the  virus  worked  frighteningly 
well.  During  each  of  five  tests,  the 
virus  infected  files  and  gained  full  sys¬ 
tem  rights  on  the  machine  in  less  than 
an  hour  —  in  one  test,  it  took  less  than 
five  minutes.  After  that,  USC  systems 
administrators  banned  all  further  secu¬ 
rity  experiments  on  their  computers. 

Other  computer  security  threats  had 
been  around  for  two  decades,  since  the 
early  days  of  time-sharing.  Defenses 
against  them  were  mostly  ad  hoc  and 
used  on  systems  only  after  they  had 
been  attacked.  But  viruses,  which 
spread  largely  through  desktop  PCs, 
would  prove  to  be  the  threat  that  turned 
computer  security  into  an  industry. 

By  1986,  viruses  were  attacking  IBM 
PCs  and  Apple  II  computers.  In  1988, 
the  first  Macintosh  virus  appeared, 
and  so  did  the  first  commercial  anti¬ 
virus  software. 

But  in  1989,  the  problem 
was  large  enough  that  IBM 
sent  antivirus  software 
it  had  developed  for  inter¬ 
nal  use  to  large  customers, 
along  with  a  letter  ex¬ 
plaining  what  it  was  for. 

Suddenly,  large  companies 


1988:  After  Robert  Morris’ 

worm  program  cripples  the 
Internet  for  days,  the  De¬ 
fense  Department  sets  up 
the  CERT  Coordination  Cen¬ 
ter  at  Carnegie  Mellon. 
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The  Story 


So  Far 


An  all-too-successfiil  computer  experi¬ 
ment  eventually  spawns  the  antivirus 
software  industry.  By  Frank  Hayes 


were  thinking  about  computer  security 
—  and  antivirus  software  became  big 
business. 

But  viruses  weren’t  the  only  threat. 
In  November  1988,  a  worm  program 
released  on  the  Internet  infected  6,000 
servers  — 10%  of  Internet  host  ma¬ 
chines  at  the  time  —  and  crippled  the 
network  for  days. 

In  the  wake  of  the  worm,  the  U.S. 
Department  of  Defense  set  up  the 
Computer  Emergency  Response 
Team  (CERT)  Coordination  Center 
at  Carnegie  Mellon  University  in 


Pittsburgh  to  improve  communication 
about  future  incidents.  In  1989,  the 
Department  of  Energy  set  up  its  own 
Computer  Incident  Advisory  Capabil¬ 
ity  at  Lawrence  Livermore  National 
Laboratory. 

In  1990,  security  researcher  Eugene 
Spafford  at  Purdue  University  coined 
the  term  firewall  for  a  system  that 
would  protect  individual  networks 
from  threats  such  as  worms.  One  of 
Spafford’s  students,  Daniel  Farmer, 
developed  the  Computer  Oracle  and 
Password  System  (COPS),  the  first 
publicly  available  security  scanner. 

And  in  1991,  the  first  commercial  se¬ 
curity  firewall  was  set  up  for  Du  Pont 
Co.  by  Digital  Equipment  Corp.  Digital 
adapted  its  own  corporate  firewall  to 
create  the  product. 

But  by  the  mid-1990s,  protection 
from  outside  threats  was  no  longer 
enough.  E-commerce  required  protec¬ 


tion  while  information  was  traveling 
across  the  Internet.  Netscape  Commu¬ 
nications  Corp.  developed  the  Secure 
Sockets  Layer  (SSL)  standard  in  1994 
to  add  automatic  encryption  and  au¬ 
thentication  to  TCP/IP. 

The  same  year,  two  developers  at 
Enterprise  Integration  Technologies, 
Eric  Rescorla  and  Allan  M.  Schiffman, 
created  the  Secure  Hypertext  Transfer 
Protocol,  which  allowed  individual 
HTTP  messages  to  be  encrypted, 
signed  or  authenticated. 

In  1998,  attacks  on  Web  sites  and 
other  government  systems  spurred  the 
Department  of  Justice  and  the  FBI  to 
create  the  National  Infrastructure  Pro¬ 
tection  Center  (NIPC),  a  joint  effort  by 
the  government  and  private  sector  to 
prevent  both  physical  and  cyber  at¬ 
tacks  on  computer  networks. 

Security  concerns  soared  as  the  year 
2000  approached,  and  “chief  security 
officer”  became  an  executive  title  at 
as  many  as  half  of  large  companies 
(though  CSOs  had  been  around  as  ear¬ 
ly  as  1996).  Microsoft  Corp.  appointed 
its  own  CSO  in  2002,  and  after  an  em¬ 
barrassing  string  of  security  holes  in 
its  products,  stopped  all  new  program¬ 
ming  for  a  month  to  retrain  its  pro¬ 
grammers  and  examine  old  code  for 
security  problems. 

In  the  nearly  two  years  since  the 
terrorist  attacks  of  Sept.  11, 2001,  secu¬ 
rity  has  been  a  top  IT  priority  —  at  a 
time  when  budgets  are  tighter  than 
ever.  And  corporate  IT  security  people 
will  need  to  use  existing  resources,  tap 
existing  knowledge  and,  most  of  all, 
avoid  reinventing  the  wheel  if  they 
want  to  squeeze  the  most  out  of  every 
dollar. 

And  now,  on  with  the  story. ...  I 


1988:  Dr.  Alan 
Solomon  creates 
the  first  widely 
used  antivirus 
software. 


1994:  The  SSL  stan¬ 
dard  developed  by 
Netscape  adds  encryp¬ 
tion  and  authentication 
to  TCP/IP. 


1998:  The  government  estab¬ 
lishes  the  NIPC  to  counter  physi¬ 
cal  and  cyberattacks  against  the 
Internet. 
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demonstrates  the  first  doc¬ 
umented  experimental 
virus  at  the  University  of 
Southern  California. 


1990:  Daniel  Farmer 
develops  COPS,  the  first 
publicly  available  security 
scanner. 
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coins  the  term 
firewall. 


1991:  Du  Pont 
installs  the  first 
commercial  se¬ 
curity  firewall. 


1999:  Chief  security 
officers  are  appointed 
at  nearly  half  of  compa¬ 
nies  with  more  than 
$1  billion  in  revenue. 


2002:  Microsoft  stops 
all  coding  for  a  month  to 
retrain  programmers  and 
examine  old  code  for 
security  problems. 
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Stores  extra  processing  power  to  convert  into  capacity.  On  demand. 


The  human  body  has  great  potential  for  on  demand  capacity  The  same  is 
true  of  IBM  eServer  and  TotalStorage®  systems.  Select  product  lines  allow 
you  to  activate  dormant  processor,  memory  or  storage  capacity  quickly 
and  easily.  Permanently  enable  processors  to  respond  to  future  needs. 

Or  turn  on  extra  processors  temporarily  and  pay  only  for  what  you  activate. 
Increase  and  decrease  capacity  as  needs  change.1  On  demand. 

eServer:  servers  for  on  demand  business. 

Can  you  see  it?  See  it  at  ibm.com/eserver/ondemand 
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YOU'VE  got  thousands  of  em¬ 
ployees  tapping  into  a  dozen 
internal  enterprise  applica¬ 
tions  apiece,  a  growing  base 
of  external  business  partners 
and  a  slew  of  customers  visiting  your 
new  portal.  You  need  to  give  this  fluid 
population  the  right  channel  for  reach¬ 
ing  their  authorized  resources.  You 
need  an  identity  management  system. 

An  identification  management  sys¬ 
tem  will  help  stem  a  flood  of  user-ac¬ 
cess  complaints  and  serve  as  an  essen¬ 
tial  bulwark  to  your  security  system.  If 
you  don’t  have  one,  build  one.  But 
build  it  right  the  first  time  by  address¬ 
ing  your  most  pressing  needs  now, 
with  an  eye  toward  adding  features  in 
the  future.  There  are  proven  ways  to 
do  this,  so  don’t  be  the  poor  soul  who 
doesn’t  get  it  right  the  first  time. 

“I  was  talking  to  a  client  the  other 
day  who  was  developing  a  very  cus¬ 
tomized  proprietary  [identity  manage¬ 
ment]  solution  that  didn’t  leverage 
standards,”  says  Roberta  Witty,  an  ana¬ 
lyst  at  Gartner  Inc.  “The  application 
was  very  questionable  from  an  infra¬ 
structure  perspective.  You  have  to  ask, 
Who’s  liable  in  that  case?” 

Most  identity  management  projects 
can  be  broken  down  into  these  areas: 
Planning,  adopting  standards,  deter¬ 
mining  when  to  centralize  password 
administration  and  when  to  delegate  it, 
and  leveraging  early  successes  to  cost- 
justify  future  initiatives.  Here  are  some 
tips  for  implementing  an  identity  man¬ 
agement  project. 


1 


Plan  a  quick-hit  list.  Start  by 
determining  what  portions 
of  identity  management  will  make  the 
most  positive  impact  on  your  business 
today.  For  example,  when  the  state  of 
North  Carolina  began  looking  at  its 
identity  management  needs  in  January 
2000,  the  state’s  Office  of  Information 
Technical  Services  (ITS)  determined 
that  the  most  important  thing  to  ad¬ 
dress  first  were  password  resets,  which 
chewed  up  40%  of  help  desk  costs,  ac¬ 
cording  to  Ann  Garrett,  chief  informa¬ 
tion  security  officer  for  the  state. 

“We  have  75,000  users  using  differ¬ 
ent  systems  who  were  forgetting  their 
passwords,  and  I  couldn’t  afford  to  be 
in  business  any  longer,”  says  Garrett. 

ITS  wanted  a  tool  that  would  give 
users  the  ability  to  reset  their  own 
passwords  with  a  challenge-response 
system;  it  chose  Oblix  Inc.’s  NetPoint. 

“  The  system  has  a  Resume  feature, 
so  when  a  user  forgets  their  password, 
all  they  have  to  do  is  answer  a  secret 
question,  which  takes  the  overhead  off 
the  administrator,”  explains  Brent 


We  have  75,000 
users  using 
different  systems  who 


were  forgetting  their 


passwords,  and  I 


couldn’t  afford  to  be 


in  business  any  longer. 


ANN  GARRETT,  CHIEF  INFORMATION 
SECURITY  OFFICER.  STATE  OF  NORTH 
CAROLINA 


With  the  right  identity  management  system, 
you  can  save  money  make  users  happy  and 
improve  your  IT  security  Woe  to  those  who 

ignore  it.  By  Deborah  Radcliff 
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Roberts,  the  state’s  identity  adminis¬ 
trator.  Now,  he  adds,  password  reset 
requests  have  dropped  to  nearly  zero. 


Plan  for  the  long  haul.  But  it 

wasn’t  just  the  immediate 
password  reset  needs  that  North  Car¬ 
olina  looked  at,  continues  Roberts.  ITS 
also  took  into  account  the  state’s  long¬ 
term  access  initiatives,  starting  with  a 
Web-based  portal  that  state  employees 
can  use  to  access  their  human  re¬ 
sources  and  other  interoffice  data, 
which  was  recently  deployed  online. 

“We  needed  an  infrastructure  that 
could  support  the  coming  onboard  of 
agencies  in  phases,”  Roberts  explains. 
“So  we  put  workflow  and  policy  into 
the  system  that  allows  employees  to 
change  some  of  the  noncritical  fields, 
such  as  an  office  phone  number.  But 
other  fields,  like  what  data  resources 
an  employee  has  access  to,  are  handled 
by  their  managers.” 

The  next  initiative  is  to  open  certain 
data  first  to  state-based  businesses  and 
later  to  citizens.  For  that,  the  infrastruc¬ 
ture  must  also  support  a  variety  of  end¬ 
point  access  controls  such  as  tokens, 
smart  cards  and  biometrics,  which  may 
be  coming  in  2005,  Roberts  says. 

Think  standards.  The  only 
way  to  facilitate  North  Car¬ 
olina’s  short-  and  long-term  plans  was 
to  build  an  identity  infrastructure 
based  on  standards,  which  is  another 
reason  the  state  decided  on  Cupertino, 
Calif.-based  Oblix,  says  Roberts. 

For  starters,  Oblix  works  with  the 
state’s  current  directory  standard, 
Lightweight  Directory  Access  Proto¬ 
col.  But  it  also  supports  current  and 
up-and-coming  Web-based  standards, 
including  an  XML-based  authentica¬ 
tion  and  authorization  standard  called 
Security  Administration  Markup  Lan¬ 
guage  and  an  emerging  provisioning 
standard  called  Service  Provisioning 
Markup  Language  —  both  of  which 
come  out  of  the  Organization  for  the 
Advancement  of  Structured  Informa¬ 


THE  DELEGATED  ADMINISTRATOR 


Managing  by  Delegating 
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Know  when  to  delegate. 

Like  the  state  of  North 
Carolina,  about  half  of  Pricewaterhouse- 
Coopers'  clients  start  their  identity  man¬ 
agement  projects  to  address  Web-based 
access  needs,  says  Gary  Loveland,  a 
partner  at  the  consulting  firm.  Doing  this 
successfully  calls  for  a  delegated  admin¬ 
istration  system,  which  lets  end  users 
start  the  process  of  registration  them¬ 
selves  and  delegates  management  of 
their  user  identities  to  department  man¬ 
agers  or  systems  administrators. 

Nowhere  is  delegated  administration 
more  critical  than  in  a  business  like  Cov- 
isint  LLC,  a  Southfield,  Mich.-based  on¬ 
line  exchange  for  automakers,  their  sup¬ 
pliers  and  industry  trade  groups.  With  so 
much  competitive  information  at  stake, 
Covisint  must  guarantee  that  the 
100,000  users  logging  on  to  the  ex¬ 
change  to  bid  on  work  and  to  access 
manufacturer  specifications  and  other 
data  cannot  skip  around  to  reach  their 
competitors’  data,  says  Dave  Miller,  Cov- 


isint’s  chief  information  security  officer. 

But  managing  all  those  user  IDs  was 
impossible  to  do  centrally,  Miller  says, 
and  the  number  will  soon  double  when 
DaimlerChrysler  AG  is  added  to  the  iden¬ 
tity  management  system.  So,  with  the 
help  of  RSA  Security  Inc.’s  ClearTrust 
identity  management  suite,  Miller  has 
brought  the  number  of  user  IDs  under 
his  domain  to  a  manageable  10,000. 

To  do  this,  he  established  a  root  ad¬ 
ministrator  at  each  of  Covisint’s  member 
organizations  to  manage  their  own  in- 
house  users  accessing  the  portal,  he 
says.  Importantly,  ClearTrust  is  also  able 
to  handle  complex  hierarchies  of  dele¬ 
gated  administrators,  since  some  of 
them  are  also  responsible  for  managing 
accounts  at  their  subsidiary  companies. 

Access  approvals  are  finalized 
through  an  automated  e-mail  trail  be¬ 
tween  the  requesting  administrator,  Cov¬ 
isint  and  the  manufacturer.  Deprovision¬ 
ing  is  also  handled  through  e-mail. 

-  Deborah  Radcliff 


tion  Standards  in  Billerica,  Mass. 

With  standards-based  infrastruc¬ 
tures,  you  can  plug  in  new  rules  and 
roles,  and  you  can  add  cross-vendor 
identity  management  applications  as 
they  develop,  says  Gary  Loveland,  a 
partner  in  the  security  and  privacy 
practice  at  PricewaterhouseCoopers  in 
New  York.  In  addition,  a  standards- 
based  infrastructure  makes  it  easier  to 
grant  access  to  outside  business  part¬ 
ners  without  making  them  use  the 
same  products  you  use,  adds  Witty. 

Know  when  to  centralize  admin¬ 
istration.  Just  as  many  organi¬ 
zations  prefer  to  centralize  administra¬ 
tion  of  user  accounts,  says  Loveland. 
This  choice  is  usually  made  when  a 
company  determines  that  its  most  im¬ 
portant  identity  management  problem 


is  inconsistent  user  data  and  rogue  in¬ 
ternal  user  accounts,  particularly  when 
workflow  policy  is  already  centralized 
around  the  company’s  human  re¬ 
sources  system. 

This  element  of  identity  manage¬ 
ment  is  called  user  provisioning.  For 
example,  ProBusiness  Services  Inc.,  a 
human  resources  outsourcing  services 
and  technology  vendor  in 
Pleasanton,  Calif.,  deter¬ 
mined  that  its  most  immedi¬ 
ate  ID  management  prob¬ 
lem  was  cleaning  up  inaccu¬ 
rate  user  account  informa¬ 
tion  for  its  1,500  distributed 
employees  whose  metadata 


Human  resources  wanted  to  main¬ 
tain  control  of  adding  new  users  and 
provisioning  their  resources,  along 
with  deleting  users  and  deprovisioning 
their  resources  upon  termination  or 
transfer.  In  addition,  human  resources 
requested  a  system  that  could  help  en¬ 
force  hiring,  staffing  and  salary  guide¬ 
lines  and  alert  the  human  resources 
managers  when  such  policies  are  vio¬ 
lated,  says  Phil  Blank,  vice  president  of 
IT  at  ProBusiness. 

For  this,  Blank’s  team  settled  on 
Austin-based  WaveSet  Technologies 
Inc.’s  Lighthouse  Enterprise  Edition 
because  it  has  built-in  connectors  to 
Siebel  and  because  it  could  provision 
anything  —  access  to  data  resources, 
telephones,  office  space,  even  parking 
spaces.  More  importantly,  it  keeps  user 
data  consistent  from  application  to  ap¬ 
plication.  And  it  automatically  depro¬ 
visions  access  to  data  resources,  end¬ 
ing  the  dangerous  problem  of  having 
rogue  passwords  that  trespassers  can 
use  to  break  into  systems. 

“The  payback,”  Blank  says,  “is  the 
human  resources  folks  say  they’re  see¬ 
ing  tremendous  efficiencies  in  terms  of 
accuracy  of  user  information.  And  they 
don’t  have  to  spend  so  much  time  do¬ 
ing  clerical  work.” 


TIP  5 
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For  additional  advice  on 
implementing  an  identity 
management  system,  visit  our 
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(telephone  numbers,  titles,  spellings 
and  the  like)  was  often  different  than 
that  stored  in  the  company’s  Siebel 
Systems  Inc.  human  resources  system. 


Work  in  phases,  and  justify 
each  through  R0I.  Baking  in 
money-saving  and  efficiency  features 
like  the  human  resources  policy  en¬ 
forcement  tools  that  ProBusiness 
added  will  go  a  long  way  toward  help¬ 
ing  IT  departments  justify  subsequent 
phases  of  development, 
says  Wendy  Steinle,  direc¬ 
tor  of  marketing  for  Novell 
Inc.’s  Nsure  identity  man¬ 
agement  products. 

And  identity  manage¬ 
ment  is  a  lot  easier  to  bite 
off  in  phases,  say  IT  man¬ 


agers.  Start  with  steps  that  can  show  a 
return  on  investment  or  cost  savings, 
such  as  North  Carolina’s  reduced  help 
desk  costs,  which  Garrett  believes  will 
pay  for  the  state’s  identity  manage¬ 
ment  system  in  two  years.  She  uses 
these  numbers  to  cost-justify  future 
projects,  such  as  the  addition  of  more 
robust  access  controls. 

“Identity  management  done  the 
right  way  can  save  a  lot  of  money,” 
adds  Steinle.  “That  takes  planning, 
evaluating  your  solution  options, 
building  a  road  map  and  creating  mea¬ 
sures  of  success.”  ► 

Radcliff  is  a  freelance  writer  in  Northern 
California.  She  can  be  reached  at 
derad@aol.com. 
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SHAPSHOTS 

Does  your  company 
currently  have  a 
business  continuity  plan? 

More  than  one-third  of  the  chief  financial 
officers  who  responded  to  a  recent  poll 
said  they  don’t  have  a  business  continuity 
plan  to  recoverfrom  disasters. 


NO 

J£JS  36% 
57% 


Don’t  know/ 
no  answer 


Base:  1,400  CFOs  at  U.S.  companies 
with  more  than  20  employees. 

SOURCE:  ROBERT  HALF  MANAGEMENT 
RESOURCES.  MENLO  PARK.  CALIF..  JUNE  2003 


Consumer  Insecurity 

Consumers  who  don’t  use 
online  banking  cite 
the  following  reasons: 


Concerned  about 
security 


26% 


Not  comfortable  doing 
banking  business  online 

22% 

Prefer  to  do  all  banking 
business  face  to  face 

21% 

Concerned  about 
privacy 

6% 

Base:  1.571  U.S.  consumers  who  don’t  bank 
online:  multiple  responses  allowed. 

SOURCE:  TOWERGROUP,  NEEDHAM.  MASS., 

JUNE  2003 

Asian  Epidemic 

Security  breaches  in  the  Asia-Pacific 
region  have  reached  epidemic  levels, 
especially  in  China. 

■  75%  of  software  developers  in  the 
Asia-Pacific  region  reported  a  security 
breach  in  the  past  year. 

■  84%  of  developers  in  China  reported 
a  security  breach  in  the  past  year. 

■  60%  of  developers  in  China  reported 
three  or  more  breaches  in  the  past  year. 

Base:  600  software  developers  in  the 
Asia-Pacitic  region. 

SOURCE  EVANS  DATA  CORP  .  SANTA  CRUZ. 

CALIF  ,  MAY  2003 


MARK  HALL 


Feeling  Insecure 

The  first  time  my  name  got  me  into  trouble  was  in  high  school.  A  football 

player  heard  that  I  had  taken  his  girlfriend  out  on  a  date,  and  rumor  had  it  he 
was  “gonna  pound”  me.  When  I  met  the  big  fella,  it  took  a  lot  of  time  and 
people  to  convince  him  that  he  had  the  wrong  Mark  Hall,  despite  his 
5-foot-10-inch  girlfriend’s  denial  she’d  ever  met  my  5-foot-4-inch  self. 
Recently,  our  sister  publication  CIO  hired  Mark  Hall  to  lead  its  IT  depart¬ 
ment.  Congratulations  have  been  coming  in  fast  and  furious  —  and  curious, 
because  no  one  knew  I  had  such  skills.  And  our  parent  company,  IDG,  even  sent  me 
a  cell  phone  destined  for  him.  (Now,  if  only  they’d  send  me  his  paycheck,  too.) 


So,  you  can  see  why  I’m  feeling  nervous  in  this  new 
era  of  heightened  security.  Oh,  I  don’t  mind  the  gun- 
toting  guards  in  airports  and  at  public  venues.  I’ve 
traveled  abroad  enough  to  be  sanguine  about  seeing 
uniformed  men  and  women  toting  Uzis  and  Clocks. 
What  I  fear  are  those  armed  and  dangerous  databases 
our  government  and  commercial  entities  are  compil¬ 
ing;  they  could  contain  false  positives  on 
“Mark  Hall”  and  other  innocents  in  the 
war  on  terrorism. 

It  doesn’t  comfort  me  to  know  that  the 
Defense  Advanced  Research  Projects 
Agency  (DARPA)  has  changed  the  name 
of  its  Total  Information  Awareness  (TLA) 
project  to  Terrorist  Information  Aware¬ 
ness.  After  all,  TLA’s  intent  remains  the 
same:  to  create  integrated  and  efficient 
access  to  information  in  various  public 
and  private  data  silos  and  process  it  in  or¬ 
der  to  thwart  terrorist  plots.  As  DARPA 
researchers  told  Congress  in  late  May,  the 
agency  can’t  guarantee  “the  accuracy  and 
utility  of  any  information  retrieved  by  TIA’s  search 
tools,  [but]  consideration  should  be  given,  in  imple¬ 
mentation,  to  the  quality  of  the  databases  to  be 
queried.”  In  short,  false  positives  will  persist,  giving 
me  nightmares  that  Donald  Rumsfeld,  a  former  cham¬ 
pion  wrestler,  will  someday  come  over  to  my  house  to 
pound  me. 

Then  there’s  Regulatory  DataCorp  International 
LLC  (RDC).  Last  year,  Computerworld  wrote  about 
the  newly  formed  commercial  operation,  noting  that 
“Regulatory  DataCorp  will  compile  information  from 
public  resources,  including  international,  federal  and 
local  law  enforcement  records.  It  will  then  sell  access 
to  the  database  to  other  companies  so  they  can  screen 
potential  customers”  [QuickLink  30371]. 

RDC’s  users  are  primarily  financial  institutions 
that,  by  statute,  must  make  every  effort  to  weed  out 
lawbreakers  of  all  stripes.  According  to  Chief  Operat¬ 
ing  Officer  Peter  Nitze,  as  of  last  month,  RDC  already 
had  “a  little  bit  under  1.5  million  names”  in  its  data¬ 


base.  Could  “Mark  Hall”  be  one  of  them? 

Solving  the  false-positive  problem  in  these  massive 
databases  isn’t  trivial.  Stephen  Brobst,  chief  technolo¬ 
gy  officer  at  NCR’s  Teradata  division,  which  is  re¬ 
nowned  for  its  monster  databases,  points  to  problems 
consumers  have  had  with  credit  reports. 

That’s  why  Congress  passed  the  Fair  Credit  Report¬ 
ing  Act,  which  gives  us  access  to  our  cred¬ 
it  histories  to  help  assure  us  that  they’re 
accurate.  It’s  unlikely  that  these  countert¬ 
errorism  databases  will  offer  us  equal  pro¬ 
tections. 

But  Brobst  points  out  that  the  problem 
gets  stickier  because  of  the  catastrophic 
risks  of  false  negatives  —  that  is,  likely 
terrorists  and  other  nasty  folks  who  aren’t 
added  to  the  database  because  the  criteria 
for  adding  suspects  are  too  conservative. 
As  such,  he  thinks  the  tendency  will  be  to 
protect  against  false  negatives,  increasing 
the  odds  of  false  positives. 

Nitze  agrees.  That  doesn’t  mean  RDC 
ignores  the  problem.  It  uses  human  analysts,  who  re¬ 
ceive  more  than  a  month  of  training,  to  review  identi¬ 
cal  names  by  searching  for  data  discrepancies  to  en¬ 
sure  that  the  good  Mark  Hall  (that  would  be  me)  isn’t 
mistaken  for  his  evil  twin. 

This  conundrum  hasn’t  gone  unnoticed  inside  the 
Pentagon.  A  Defense  Department  spokesman  tells  me, 
“It’s  quite  possible  for  the  Muslim  equivalent  of  ‘John 
Smith’  to  create  false  positives.”  So  DARPA  has  also 
designed  procedures  to  cull  out  the  false  positives. 

But  the  tendency  for  the  creators  of  these  applica¬ 
tions  is  to  err  on  the  side  of  inclusiveness.  In  other 
words,  the  more  “Mark  Halls,”  the  better. 

It  will  take  time  and  experience  before  projects  like 
TIA  and  RDC  are  able  to  balance  real  security  needs 
with  the  thorny  problem  of  false  positives,  which 
waste  their  time  and  resources.  In  the  meantime,  I’m 
considering  changing  my  name  to  Marcusian 
Halloflowskovich.  Has  a  nice  ring  to  it,  don’t  you 
think?  I 


REAL-TIME  BUSINESS  ISN’T 

JUST  ABOUT  GETTING 
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INFORMATION  FASTER. 


■.’  £<s •  ^t-cVv 


'  t  ^ .  ■ 

■  ..v.r-  •  ..  >><  >•  rv^ 

‘  5:  ? 

.••:  iTv; 


IT’S  ABOUT  MAKING  SURE 
YOUR  BUSINESS  CAN 

TAKE  ADVANTAGE  OF  IT. 

In  a  true  real-time  business,  everything  moves 
faster.  Your  data  is  always  where  and  when  it's 
needed.  You  coordinate  activities  and  automate 
processes  end  to  end.  You  enjoy  greater  visibility 
and  understanding.  And  you  have  the  ability  to 
drive  your  business"  with  new  immediacy. 

TIBCO  Software's  proven  integration  solution 
enable  real-time  business.  By  unifying  and 
optimizing  your  existing  assets — people, 
processes  and  legacy  systems — you  can  d< 
more  with  what  you  already  have.  And  do  it 
better.  It's  what  we  call  The  Power  of  Now™ 
Our  unbiased,  independent  approach  and 
easily-deployed  integration  solutions  can 
help  you  grow  your  business  even  in  today's 
difficult  environment. 


As  the  world's  leading  independent  integration  software  provider, 
TIBCO  has  helped  more  than  2,000  companies  take  advantage  of 
real-time  business.  Discover  how  you  can  put  The  Power  of  Now  to 
work.  Call  888-558-4226  or  visit  us  at  www.tibco.com/cwc 


REAL-TIME  IN  ACTION:  DELTA  AIRLINES 

Dblta  Air  Lines  partnered  with  TIBCO  to  create  the 
Delta  Nervous  System,  which  connects  Delta's  13  busi¬ 
ness  units  and  30  databases,  and  handles  more  than  5 
million  daily  business  events. 


“The  ability  to  share  information  with  our  employees 
and  customers  in  real-time,  and  to  automate  how  we 
share  it,  has  allowed  us  to  transform  our  business, 
improve  customer  service,  and  reduce  costs.” 


The  Power  of  Now 


TM 


— Curtis  Robb,  Delta  Air  Lines  CIO, 
Delta  Technology  CEO 
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Evaluate  Outsourcing 

company.  How  many  times  has  the  pro-  Castellano’s  staff  to  perform  monthly 

Partners 


Outsourcing  security  to  managed  providers 
requires  safeguards  to  guarantee  service.  Here 
are  tips  from  companies  that  have  signed  over 
security  to  the  experts.  By  Barbara  DePompa 


Working  with  managed 
security  service  provid¬ 
ers  (MSSP)  isn’t  much 
different  from  any  other 
type  of  outsourcing  com¬ 
mitment.  All  of  the  basic  rules  still  ap¬ 
ply,  including  setting  specific  require¬ 
ments,  incorporating  strict  service-level 
agreements  with  penalties,  and  re-eval- 
uating  your  needs  —  and  the  provider’s 
competencies  —  at  regular  intervals. 

But  when  it  comes  to  managing  se¬ 
curity  functions,  there  are  additional 
factors  that  can  improve  the  relation¬ 
ship  and  the  quality  of  security  cover¬ 
age  provided  by  your  MSSP. 


TIP  7 


Have  a  clear  reason  for  out¬ 
sourcing.  Figure  out  whether 
the  service  provider  will  deliver  better 
security  or  run  the  company’s  informa¬ 
tion  security  operations  faster  and 
cheaper  than  you  could  in-house. 

Merrill  Lynch  &  Co.,  for  example, 
signed  a  global,  multiyear  contract  to 
have  VeriSign  Inc.  monitor  and  manage 
hundreds  of  network  security  devices, 
primarily  firewalls  and  intrusion-detec¬ 
tion  systems.  “We  picked  VeriSign  be¬ 
cause  of  the  company’s  expert  skill  in 
monitoring  and  its  ability  to  give  us  bet¬ 
ter  information  than  we  could  gather  on 
our  own.  The  goal  wasn’t  to  reduce 
costs;  it  was  to  improve  security,”  says 
David  Bauer,  chief  information  security 
and  privacy  officer  at  Merrill  Lynch. 


8 


Ask  probing  questions.  Jeff 
Nigriny,  chief  security  offi¬ 
cer  at  Exostar  LLC  in  Herndon,  Va.,  an 
online  exchange  for  the  aerospace  and 
defense  industry,  suggests  interview¬ 
ing  everyone  at  the  MSSP  about  how 
they  will  provide  coverage  for  your 


company.  How  many  times  nas  tne  pro¬ 
vider  had  to  issue  a  credit  for  failing  to 
meet  the  service-level  agreement?  And 
how  financially  stable  is  it? 

Set  a  time  limit  for  responses. 

When  Exostar  contracted 
with  TruSecure  Corp.,  Nigriny  includ¬ 
ed  a  clause  in  the  a  service-level  agree¬ 
ment  stating  that  TruSecure’s  response 
time  to  a  problem  couldn’t  exceed  15 
minutes  and  that  any  configuration 
changes  would  have  to  be  made  within 
30  minutes. 


10 


Remember:  Monitoring  for 
security  breaches  24/7  simply 
isn’t  enough.  “The  MSSP  must  filter 
through  the  alerts,  respond  to  problems 
as  they  arise  and  tell  me  what  was 
done  in  a  report  later,”  says  Nigriny, 
who  decided  it  was  time  to  consider 
outsourcing  when  he  was  forced  to  sift 
through  3,000  incidents  in  a  single  day. 


TIP  11 


Use  an  MSSP  that’s  nearby. 

Paul  Castellano,  general 
manager  of  information  services,  IT  se¬ 
curity  and  disaster  recovery  at  Hagers¬ 
town,  Md.-based  Allegheny  Energy 
Inc.,  selected  RedSiren  Inc.  more  than 
two  years  ago,  primarily  because  the 
MSSP  filled  key  requirements  and  was 
headquartered  in  Pittsburgh,  which  is 
within  driving  distance  of  Castellano’s 
office.  While  not  everyone  is  able  to 
jump  into  the  car  to  visit  a  service 
provider,  “you  really  don’t  want  to  be 
on  a  plane  every  time  there’s  a  briefing 
or  presentation,”  he  says. 


Tf  12 


Make  sure  the  MSSP  offers 
fail-over  operations  that  at 
least  match  your  own.  Castellano  recom¬ 
mends  using  an  MSSP  that  offers  re¬ 
dundant  network  operations  centers, 
which  are  critical  for  recovering  from 
regional  disasters.  And  even  more 
important,  he  says,  is  the  need  to  test 
those  backup  operations. 


TIP  13 


Understand  and  exploit  the 
reports  you  get.  An  MSSP’s 
reporting  tools  can  be  used  to  bench¬ 
mark  your  security  coverage  and  re¬ 
covery  performance  against  those  of 
scores  of  other  companies.  Allegheny 
Energy  has  used  the  RedSiren  report¬ 
ing  tools  to  build  a  baseline  and  enable 


perform  montmy 
or  quarterly  “what  if”  security  testing. 

Think  beyond  the  perimeter 
and  “defend  in  depth.”  That’s 
the  advice  of  Nick  Brigman,  a  vice  presi¬ 
dent  at  RedSiren.  Nowadays  it  takes 
more  than  antivirus  software  and  a 
firewall  to  secure  operations.  Consider 
adding  multiple  intrusion-detection 
sensors  in  different  areas  around  the 
company  to  better  protect  critical  as¬ 
sets.  Some  customers  add  such  devices 
both  outside  and  inside  their  firewalls, 
Brigman  says,  to  detect  and  track  the 
incidents  that  breach  them. 


15 


Figure  out  how  to  escalate  a 
problem  and  how  to  gain  access 
to  the  “real”  security  experts  inside  the  MSSP. 

Chances  are,  when  you  call  the  MSSP 
for  assistance  about  a  security  alert,  the 
person  who  answers  the  phone  may  not 
be  the  key  person  you  need,  says  Adam 
Joseph,  former  CEO  of  TruSecure  and 
now  an  independent  consultant.  He 
says  MSSPs  typically  don’t  keep  many 
highly  skilled  security  technicians  on 
duty  around  the  clock,  so  identifying 
the  people  with  real  expertise  is  criti¬ 
cal  to  getting  better  service. 

In  general,  experts  say  that  the  key 
is  to  develop  a  close,  trusting  relation¬ 
ship  with  the  MSSP  so  the  IT  depart¬ 
ment  can  focus  on  strategic  security 
goals  while  the  MSSP  handles  the 
mundane  daily  operations.  I 


SERVICE  HYPE 
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1  to  get  Analysts  say  there's  much 
hyping  of  services  going  on  today,  as 
MSSPs  scramble  to  gain  a  footing  in  the 
market.  So  ask  for  sanitized  incident 
reports,  examine  the  level  of  content  in 
them,  and  analyze  the  effectiveness  of  the 
service  provider’s  response  in  each  < 


DePompa  is  an  independent  writer  and 
editor  in  Germantown,  Md.  She  can  be 
reached  at  bdepompa@comcast.net. 

MORE  TIPS  ONUHE 

Need  more?  We've  got  additional  tips  on  security 
outsourcing  on  our  Web  site: 

OQuickUnk  39686 

www.computerworld.com 


Weiu«»  hoping 
suede  jacket  I  just  bought, 
just  hind  of  keeping  my  hnget 

Lssed  that  It  doesn't  ram  loday._ 


IT  guy 


has  time 


to  chat 


Greg  Brown,  33,  seen 

talking  freely  to  co-workers 

after  deploying 
Nokia  Message  Protector 

.  _  .11  l/inrl 


“1  used  to  spend  most  of  my  day 

different  security  a  beaming  Greg  told 

rejection  for  °^r  ^  ^  seminar.  “Trying  to  plug 

reporters  holes  between  our  desktops  and 

Features  gateways,  looking  after  all  those 

Automatic  --  "  ^a. 

Signature  kept  me  in  the  trenches.  But  I 
Updates  changed  With  the  i*ple™"tatlon 

of  Nokia  Message  and  intelligent 

communication  pa  ,  bunto  and  get  to 


AVMlM’.U  AKUDND  THE  GLOBt 


a«  the  names  -  **.  *-» 

of  them  ate  quite  cool  - '  9  Mt  tho  people  I  haw 

sometimes  mm.The  food  s  go  ^  t0  onc  reporter's 


,  .  ^assure  him,  and  he  can  focus  or 

exploit  updates,  but  now  ^  our  desktops  and  gate 

other  things.  Trying  to  p  ug  technologies,  trying  t 

ways,  looking  after  all  th®^e  -m  the  trenches. 


Introducing  Nokia  Message  Protector. 


Nokia  has  created  a  complete  purpose-built 
appliance  that  integrates  innovative  security 
technologies  including  virus  protection  from 
Trend  Micro™,  with  unique  Nokia  filtering 
software  —  known  as  statistical  protection  — 
to  deliver  new  levels  of  enterprise  email  security. 
Nokia  Message  Protector  deploys  in  minutes  and 
provides  secure,  automatic  updates  to  optimize 


email  system  integrity.  With  the  ability  to 
process  up  to  120,000  emails  per  hour,  and  the 
intelligence  to  control  the  content  that  enters, 
flows  through  and  leaves  your  network,  you 
can  spend  more  time  doing  things  that 
matter  —  like  getting  to  know  your  colleagues! 
If  you’d  like  more  time  to  chat,  visit 
www.nokia.com/get_a_life/americas 


NOKIA 

Connecting  People 
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Maintaining  robust  secu¬ 
rity  is  at  the  top  of  the  IT 
priority  list  at  many  com¬ 
panies  these  days.  But 
those  that  are  in  the  midst 
of  a  merger  or  acquisition  face  some 
unique  security  challenges  —  and 
opportunities. 

U.S.-based  multinational  companies 
plan  to  increase  their  merger  and 
acquisition  activity  over  the  next  two 
years,  with  70%  expecting  to  be  involved 
in  such  deals  in  that  period,  according 
to  a  recent  PricewaterhouseCoopers 
Barometer  Survey  of  170  executives. 

That  will  mean  lots  more  work  for 
chief  security  officers  —  before  the 


deal  is  signed  and  after¬ 
ward,  when  security  tech¬ 
nologies  and  policies  have 
to  be  integrated.  The  fol¬ 
lowing  are  some  practical 
tips  for  ensuring  that  data, 
networks  and  systems  re¬ 
main  as  secure  as  possible 
during  the  often  turbulent 
times  that  accompany  a 
merger  or  acquisition. 
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Perform  due  dili¬ 


gence  on  secu¬ 
rity  well  before  the  merger  be¬ 
gins.  The  chief  security  of¬ 
ficer  or  other  senior  secu¬ 
rity  manager  should  be  as 
involved  in  the  process  of 
evaluating  potential  merg¬ 
er  or  acquisition  targets  as 
finance,  human  resources 
»  and  other  executives  are. 

I  Analyze  the  security  poli- 
*  cies  and  technologies  at 
1  the  other  company,  and 
determine  how  vulnerable  it  is. 

Also,  determine  whether  the  compa¬ 
ny  educates  employees  about  security 
in  general  and  about  things  such  as 
preventing  the  spread  of  viruses.  Con¬ 
duct  a  penetration  test  of  the  target 
company’s  network,  and  interview 
managers  and  staffers  to  gauge  the  pre¬ 
vailing  attitude  about  security  and  pro¬ 
tecting  data  and  intellectual  assets. 

“Spend  a  lot  of  time  learning  about 
the  company  and  its  culture,  where  it 
does  business,  whether  security  [man¬ 
agement]  is  centralized  or  decentral¬ 
ized,  and  how  the  company  values  se¬ 
curity,”  says  Bobby  Gillham,  manager 
of  global  security  at  ConocoPhillips  in 


With  merger  and  acquisition  activity  on  the  rise, 
here’s  how  to  protect  your  company’s  assets  and 
exploit  the  opportunity  to  bolster  the  security 
of  the  combined  business.  By  Bob  Violino 


Houston,  who  headed  security  for 
Conoco  during  its  2002  merger  with 
Phillips  Petroleum.  “Work  closely  with 
the  other  company’s  security  manager 
to  understand  their  security  organiza¬ 
tion  and  its  role  in  the  organization.” 
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Assess  the  security  practices 
and  vulnerabilities  of  suppliers 
and  other  business  partners  that  work  closely 
with  the  merger  or  acquisition  target,  says 
Laura  Koetzle,  an  analyst  at  Forrester 
Research  Inc.  Do  the  trading  partners 
have  adequate  security  in  place  for  e- 
commerce,  online  procurement  and 
Web  collaboration? 
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Remember  that  a  merger  can 
always  fall  through  because  of 
regulatory  restrictions,  stockholder  disap¬ 
proval  or  other  reasons.  “Companies  have 
to  be  careful  about  releasing  [security] 
information  to  the  other  organization, 
because  if  the  merger  is  halted,  there’s 
no  way  you  can  get  them  to  ‘unknow’ 
those  things  you’ve  told  them,”  says 
Koetzle.  This  is  particularly  critical  if 
the  merger  partner  is  a  competitor. 
“You  can  disclose  the  level  of  security 
you  provide,  but  don’t  hand  over  all 
the  keys  to  the  kingdom  in  the  early 
stages  of  a  merger.” 
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Anticipate  “social  engineering” 
and  other  security  threats  from 
disgruntled  employees  at  both  of  the  compa¬ 
nies  involved.  While  experts  say  bad  be¬ 
havior  is  usually  the  exception  —  most 
people  are  more  concerned  about  find¬ 
ing  a  new  job  than  harming  the  compa¬ 
ny  if  they  believe  they’re  going  to  be 
laid  off  —  it  makes  sense  to  be  ready  for 
anything.  As  soon  as  an  employee  has 
been  notified  about  a  layoff,  cut  off  ac¬ 
cess  to  all  critical  services  and  applica¬ 
tions.  The  IT  staff  should  be  trained 
and  prepared  to  shut  off  employees’ 
network  access  as  quickly  as  necessary. 

“You  need  to  pay  particular  attention 
to  protecting  against  people  walking 
out  with  proprietary  information,” 
Gillham  says.  “Sometimes  people  take 


things  not  to  steal,  but  to  show  pro¬ 
spective  employers  the  work  they’ve 
done.  You  have  to  limit  access  to  pro¬ 
prietary  systems  for  those  people  you 
know  are  being  downsized.” 
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During  the  integration/transi¬ 
tion  phase,  get  the  two  compa¬ 
nies’  security  groups  working  together  as 
soon  as  possible.  Begin  to  identify  which 
security  technologies  should  be  re¬ 
tained  and  which  should  be  dropped, 
based  on  the  security  needs  of  the  new 
organization.  “There  may  be  an  oppor¬ 
tunity  to  create  [a  new]  security  orga¬ 
nization  that  has  the  best  of  both  com¬ 
panies,”  says  Gillham.  “Compare  the 
security  expertise  of  both  companies 
and  look  for  opportunities  for  synergy 
in  the  integration  process.” 


Be  sure  to  address  how  to 
handle  secure  communica¬ 


tions,  particularly  if  the  companies  are  using 
different  types  of  e-mail  or  virtual  private 
networks  for  remote  access.  “That  can  be 
a  hurdle;  if  the  systems  are  not  com¬ 
patible,  people  may  not  be  able  to  com¬ 
municate  with  each  other,”  says  Nich¬ 
olas  Percoco,  associate  partner  at  Am- 
biron  LLC,  an  information  security 
advisory  firm  in  Chicago.  It  may  be 
necessary  to  change  security  technol¬ 
ogies  at  one  company  to  guarantee 
secure  communications.  I 


Violino  is  a  freelance  writer  in  Massape- 
qua  Park,  N.Y.  You  can  contact  him  at 
bviolino@optonline.net. 
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Thwart 

Insider 

Abuse 

Here’s  how  to  detect  and  stop  attacks  by  clueless 
or  disgruntled  employees.  By  Dan  Verton 


IT  HASN’T  BEEN  GETTING  a  lot  of 
media  attention  lately,  but  the 
threat  to  corporate  security  and 
intellectual  property  from  insiders 
remains  one  of  the  biggest  chal¬ 
lenges  facing  IT  departments  today. 

According  to  the  most  recent  survey 
by  the  American  Society  for  Industrial 
Security  in  Alexandria,  Va.,  current 
and  former  employees  and  on-site  con¬ 
tractors  with  authorized  access  to  fa¬ 
cilities  and  networks  continue  to  pose 
the  most  significant  risk  to  intellectual 
property  such  as  research  data,  cus¬ 
tomer  files  and  financial  information. 

What  follows  is  a  list  of  the  best  tips 
—  from  a  variety  of  IT  security  profes¬ 
sionals  —  on  how  to  detect  and  prevent 
insider  abuse  of  computer  and  network 
resources.  Experts  say  that  all  security 
programs  should  focus  on  people,  proc¬ 
ess  and  technology,  so  we’ve  broken 
the  list  into  those  three  categories. 


People 


Require  new  hires  to  go 
through  a  security  orientation. 

Have  employees  review  and  sign  a 
policy  concerning  the  acceptable  use 
of  company  IT  resources.  In  addition, 
an  orientation  program  should  include 
a  review  of  the  threats;  a  specific  list 
of  do’s  and  don’ts  to  protect  corporate 
information,  passwords  and  physical 
security;  and  what  to  do  (and  whom 
to  contact)  if  an  employee  discovers  a 
security  violation. 


OFFICE  PERIPHERALS 


TIP  25 


Don’t  overlook  the 
sensitive  data  on  com¬ 
mon  office  peripherals,  such  as  copiers 
and  printers.  When  these  products  are 
used,  the  memory  of  that  use  remains  in  the 
machine,  sometimes  for  years.  There  are 
products  available  to  address  this  issue,  such 
as  “digital  shredder”  software,  which  erases 
data  from  the  machine  after  each  use. 


TIP  26 


Establish  a  corporate  “neigh¬ 
borhood  watch”  program.  Set 

up  a  reporting  structure  that  is  able  to 
detect  irregularities  and  prevent  social 
engineering. 


TIP  27 


sensitive  data. 


Check  the  backgrounds  of 
all  employees  who  handle 


TIP  28 


Make  sure  the  passwords  for 
systems  administrators  have 
the  strongest  level  of  authentication  and  are 
given  to  the  smallest  potential  audience. 


TIP  29 


Require  systems  administra¬ 
tors  to  take  two  consecutive 
weeks  of  vacation  annually  —  similar  to 
the  vacation  requirements  for  senior 
bank  managers  —  so  that  fraudulent 
activities  or  other  improprieties  can 
surface  while  they’re  gone. 


TIP  30 


Develop  a  policy-setting 
“security  council”  that  has 


an  executive  sponsor  from  each  major 
department,  such  as  human  resources, 
finance,  IT  and  marketing. 


TIP  31 


Integrate  IT  procedures  and 
HR  procedures  so  that  sys¬ 
tem  access  is  tied  to  employee  (and 
consultant)  hiring  and  departures. 


Process 


TIP  32 


Establish  a  reliable  system  for 
assigning  access  to  company 
data.  Make  sure  the  system  can  disable 
such  access  immediately  if  a  major  lay¬ 
off  occurs. 


TIP  33 


Determine,  based  on  job 
function,  seniority  and  other 
roles,  who  needs  to  have  access  to  which 
company  resources  and  why. 


IIP  34 


Require  employees  to  sign 
a  nondisclosure  contract 
on  their  date  of  hire  so  they  know  what 
type  of  information  is  considered  pro¬ 
prietary  and  what  the  consequences 
will  be  if  they  share  it  without  autho¬ 
rization. 


TIP  35 


Keep  an  inventory  of  your  IT 
assets.  Know  the  type  and 
version  of  every  operating  system  and 
application  you  use,  as  well  as  the  num¬ 
ber  of  computers  and  networking  de¬ 
vices  you  have  and  all  of  the  firewall 
types  and  rules. 


TIP  36 


Conduct  security  audits  on  all 
systems  every  24  hours  to 

ensure  that  the  systems  are  secured 
and  haven’t  regressed  or  been  ren¬ 
dered  vulnerable. 


TIP  37 


Make  the  ability  to  support 
your  company’s  information 
access  policy  one  of  the  criteria  for  buying 
new  software  or  systems. 


TIP  38 


Evaluate  the  security  of  your 
business  partners  and  vendors. 


Technology 


TIP  39 


Identify  dormant  IDs  or  or¬ 
phaned  accounts.  Install  or 
create  a  system  for  actively  checking 
for  and  deleting  out-of-date  IDs  and 
accounts  as  well  as  inactive  users. 


Have  an  automated  system 
for  resetting  passwords  on 
a  regular  basis. 
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Make  sure  that  the  accounts 
belonging  to  laid-off  employ¬ 
ees  aren’t  simply  deleted.  Instead,  incor- 


TIP  41 


Yikes! 


A  survey  of  managers  and 
employees  with  access  to 
sensitive  customer  informa¬ 
tion  found  the  following: 

■  66%  said  their  co-workers, 
not  hackers,  pose  the  greatest 
risk  to  consumer  privacy;  only 
10°/o  said  hackers  are  the  great¬ 
est  threat. 

■  62%  reported  incidents  at 
work  that  put  customer  data  at 
risk  for  identity  theft. 

■  46%  said  it  would  be  “easy." 
“very  easy"  or  “extremely  easy" 
for  workers  to  remove  sensitive 
data  from  the  corporate  database. 

■  32%  said  they're  unaware  of 
internal  company  policies  to  pro¬ 
tect  customer  data. 

■  28%  said  their  company  does 
not  have  a  written  security  policy 
or  they  didn’t  know  if  it  has  one. 

Base:  Survey  of  500  U.S.  workers  and 
managers  who  handle  sensitive  customer 
information  at  work. 

SOURCE:  HARRIS  INTERACTIVE  INC.. 
ROCHESTER,  N.Y..  MAY  2003 


porate  a  suspend  feature  in  your  provi¬ 
sioning  process  that  prevents  outside 
access  but  enables  the  IT  department 
to  search  for  key  data  in  the  account. 


TIP  42 


Convert  physical  access- 
control  devices  from  electron¬ 
ic  systems  to  network-enabled  devices  so 

that  physical  access  events  can  be  cor¬ 
related  with  network  events  and  file- 
access  attempts.  For  example,  integrate 
your  building-access  card  reader  with 
your  IT  network  so  that  an  event  like  a 
person  entering  a  building  late  at  night 
can  be  correlated  with  any  cybersecu¬ 
rity  violations  that  take  place  around 
the  same  time. 
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Collect  historical  data  for  indi¬ 
vidual  employees  regarding 
network  activity  and  file-access  attempts 
and  then  employ  a  formula  to  calculate  a  risk 
factor  for  each  event.  Rank  the  risk  fac¬ 
tors  and  sort  by  employee  to  identify 
the  riskiest  employees  or  those  who 
need  remedial  security  training.  I 


MORE  TIPS  ONUNE 


Need  more?  We've  got  additional  advice  on  preventing 
insider  abuse  and  social  engineering: 
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A  flurry  of  federal  and 

state  regulations  and  inter¬ 
national  laws  is  pushing 
data  privacy  management 
to  the  top  of  the  business 
agenda.  Companies  that 
fail  to  comply  with  those  laws  will  in¬ 
creasingly  be  exposing  themselves  to 
legal  liability  from  their  customers  and 
from  regulators. 

Laws  such  as  the  Health  Insurance 
Portability  and  Accountability  Act  and 
the  USA  Patriot  Act  have  already  es¬ 
tablished  information  privacy  rules  for 
companies  in  the  health  care  and  finan¬ 
cial  services  industries.  New  this  month 
is  California’s  SB  1386  identity  protec¬ 
tion  bill,  and  coming  down  the  pike  are 
other  state  and  federal  versions  of  the 
law.  International  rules  such  as  those 
covering  European  Union  nations  and 
Canada  are  also  forcing  U.S.  compa¬ 
nies  to  confront  privacy  issues. 

For  a  lot  of  companies,  complying 
with  such  regulations  will  require  a 
substantial  effort  from  both  a  technol¬ 
ogy  standpoint  and  a  process  stand¬ 
point,  says  Paul  Paez,  president  of  Pri- 
vastaff  Inc.,  a  San  Jose-based  privacy 
consultancy. 


Even  so,  the  laws  make  it  vitally  im¬ 
portant  for  companies  to  develop  pri¬ 
vacy  policies,  practices  and  proce¬ 
dures,  says  Charlene  Brownlee,  an  at¬ 
torney  at  Fulbright  &  Jaworski  LLC  in 
Austin.  “A  company’s  liability  will  be 
measured  against  what  steps  it  took  to 
protect  data  privacy,”  Brownlee  says. 
“You  are  going  to  need  to  show  what 
you  did  to  be  in  compliance  with  in¬ 
dustry  standards.” 

That  means  clearly  articulating  a 
privacy  policy  and  then  taking  the  fol¬ 
lowing  technology  and  process  mea¬ 
sures  to  implement  and  manage  it. 


TIP  44 


Assess  what  steps  need  to 
be  taken  in  order  to  comply 
with  privacy  regulations  relating  to  your 
business  and  with  your  company’s  privacy 
policies. 


Audit  how  and  why  personal 
data  is  collected,  used, 
shared,  accessed,  stored  and  protected. 


TIP  45 


TIP  46 


Look  at  the  manual  and  auto¬ 
mated  processes  that  are  in¬ 
volved  in  this  cycle  and  figure  out  which  gaps 
need  to  be  filled. 

As  obvious  as  these  measures  may 
seem,  this  kind  of  gap  analysis  is  a  cru¬ 
cial  first  step  to  any  privacy  manage¬ 
ment  effort,  Brownlee  says.  Otherwise, 
there’s  simply  no  telling  where  or  how 
personal  information  is  embedded 
within  your  enterprise  and  how  it 
needs  to  be  protected. 


TIP  47 


Control  who  touches  the  data 
and  why,  says  Arshad  Noor, 
CEO  of  StrongAuth  Inc.,  a  Cupertino, 
Calif.-based  identification  management 
firm.  Have  formal  processes  for  restrict¬ 
ing  physical  and  virtual  access  to  confi¬ 
dential  customer  or  employee  data. 


A  step-by-step  process  for  protecting  your 
company  by  guarding  customer  privacy. 
By  Jaikumar  Vijayan 


Secure  the  manual  and 
automated  processes  by 
which  data  is  copied,  shared,  backed  up  and 
stored.  For  instance,  limit  the  number 
of  people  who  have  physical  access  to 


Protect  Privacy, 

Step  by  Step 


backup  tapes  or  other  storage  media 
containing  confidential  information. 
Have  strong  user-authentication  and 
access-control  technologies  to  ensure 
that  only  authorized  people  have 
access  to  confidential  information, 
Noor  suggests. 


TIP  49 


Understand  what  permissions 
are  associated  with  personal 
data  used  by  applications  -  especially  ones 
such  as  CRM,  ERP  and  supply  chain,  says 
Paez.  A  lot  of  the  customer  data  may 
have  been  collected  in  a  manner  not 
consistent  with  new  regulations  or  the 
company’s  privacy  policy,  he  says.  See 
whether  the  permissions  need  to  be 
updated  and  new  permission  fields 
need  to  be  added  to  these  applications. 
Investigate  and  implement  processes 
for  tracking  and  storing  user  permis¬ 
sions  and  for  seeing  that  the  data  is 
used  in  a  consistent  manner  across  all 
applications,  Paez  says. 


PREPARE  TO  BE  HACKED 
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Encrypt  all  confidential 
data  when  it’s  being 
transmitted  and  when  it’s  at  rest 
on  storage  media.  That  way,  even  if  it 
gets  hacked,  the  information  is  secure. 
Encryption  might  also  provide  some  legal 
cover  for  companies  that  get  hacked. 
Businesses  that  encrypt  data  are 
specifically  exempt  from  California’s  SB 
1386,  for  instance.  It  may  also  be  a  good 
idea  to  consider  storing  a  user’s  name 
separately  from  other  pieces  of  identifying 
information  such  as  a  Social  Security  or 
driver’s  license  number. 


TIP  51 


Collect  personal  information 
only  if  it’s  absolutely  needed, 
and  don’t  store  it  for  longer  than  you  need  it, 

Brownlee  advises.  Examine  whether 
storing  personally  identifiable  infor¬ 
mation,  such  as  Social  Security  and 
driver’s  license  numbers,  is  really  key 
to  your  business. 

If  not,  are  there  alternatives  to  col¬ 
lecting  and  storing  such  information? 
The  more  personal  data  you  collect, 
the  greater  your  liability  exposure,  ac¬ 
cording  to  Brownlee. 


TIP  52 


Implement  good  configura¬ 
tion  management,  asset 
management  and  change  management 
processes,  Noor  says.  Make  sure  that 
the  hardware,  operating  systems  and 
networks  that  process  personal  data 
are  hardened  and  locked  down.  Shut 
down  all  unnecessary  functions,  con¬ 
figuration  settings  and  permission 
fields,  he  says.  Stick  the  servers  be¬ 
hind  firewalls.  ► 
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WHEN  YOU  SAY  the 

words  instant  messag¬ 
ing  and  security  to 
many  IT  executives, 
you  might  as  well  be 
referring  to  oil  and 

water.  Some  CIOs  have  simply  banned 
the  use  of  this  collaboration  tool  in 
their  companies,  citing  it  as  a  gaping 
hole  through  which  viruses,  hackers 
and  corporate  spies  can  enter  and  out 
of  which  company  secrets,  libelous 
statements  and  unaudited  communica¬ 
tions  can  flow. 

These  naysayers  have  a  point  — 
Gartner  Inc.  in  Stamford,  Conn.,  has 
identified  IM  as  one  of  the  top  11  secu¬ 
rity  issues  for  2003.  “IM,  by  its  very  na¬ 
ture,  punches  a  hole  in  the  firewall, 
and  that  opens  up  the  possibility  of 
inviting  in  a  dangerous  worm,”  says 
Douglas  Schweitzer,  a  Gartner  analyst. 

The  problem  is,  IM  originated  as 
a  free  download  for  consumers  and 
wasn’t  designed  with  corporate  securi¬ 
ty  in  mind.  Instant  messages  bypass 
virus  scanners,  and  users  can  inadver¬ 
tently  download  files  containing  mali¬ 
cious  code.  And  because  of  IM’s  casual 
nature,  users  may  be  less  than  profes¬ 
sional  in  their  communications.  Mean¬ 
while,  these  messages  go  uncaptured 
by  any  corporate  database,  making 
them  unauditable. 

But  officially  sanctioned  or  not,  IM 
use  is  nearly  unstoppable  —  and  in 
some  instances,  it’s  a  critical  business 
tool.  Last  year,  there  were  80  million 
IM  users  in  the  U.S.,  and  25  million  of 
those  were  business  users,  according 
to  The  Yankee  Group  in  Boston.  Fortu¬ 
nately,  there  are  ways  to  plug  many  IM 


security  gaps.  Here  are  some  tips  on 
how  to  tame  the  wild  world  of  IM: 


TIP  53 


Keep  IM  within  the  firewall. 

Some  companies,  such  as 
Terra  Nova  Trading  LLC  in  Chicago, 
want  their  employees  to  have  IM  — 
just  not  over  the  public  network.  So 
Kevin  Ott,  vice  president  of  technolo¬ 
gy  at  the  brokerage,  installed  an  IM 
system  called  E/pop  from  WiredRed 
Software  Corp.  in  San  Diego. 

E/pop  and  similar  systems,  such  as 
IBM  Lotus  Software  Group’s  Same¬ 
time,  Jabber  Inc.’s  Messenger  and  even 
America  Online  Inc.’s  Enterprise  AIM, 
route  instant  messages  locally,  so  they 
never  traverse  the  public  network. 

These  systems  also  offer  audit  and 
reporting  capabilities,  as  well  as  fea¬ 
tures  such  as  virus  scanning,  directory 
integration  with  other  e-mail  systems, 
message  encryption  and  user  authenti¬ 
cation.  “It’s  a  completely  closed  sys¬ 
tem,  and  we  can  audit  the  transcripts 
and  put  them  in  a  database,”  Ott  says. 
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It  may  not  be  sanctioned  by  IX  but  with 
25  million  business  users,  instant  messaging  is 
a  security  problem  you  can’t  ignore.  Here  are 
some  tips  for  locking  it  down.  By  Mary  Brandel 

Plug  IM’s 

Security  Gaps 


Install  a  gateway  product. 

Other  companies,  such  as 
brokerage  firm  Craig-Hallum  Capital 
Group  LLC  in  Minneapolis,  rely  on  IM 
to  communicate  with  business  part¬ 
ners.  That’s  why  it  turned  to  an  IM 
gateway  product  from  FaceTime  Com¬ 
munications  Inc.  in  Foster  City,  Calif. 
Other  gateway  vendors  include  Akonix 
Systems  Inc.,  IMlogic  Inc.  and  AOL. 

These  systems  can  either  route  in¬ 
stant  messages  on  the  internal  corpo¬ 
rate  network  for  employee-to-employ- 
ee  communications  or  interface  with 
consumer  IM  clients  to  send  messages 
to  outside  parties  over  the  Internet. 

However,  a  proxy  server  sits  be¬ 
tween  the  IM  clients  on  both  sides  of 
the  firewall  and  scans  for  viruses,  fil¬ 
ters  content,  periodically  attaches  dis¬ 
claimers  to  messages  and  sends  all 
messages  to  a  database  for  archiving. 

These  systems  also  allow  IT  to  block 
file  transfers,  authenticate  users  and 
control  who’s  allowed  to  use  IM.  Some 
gateway  products  allow  IM  conversa¬ 
tions  to  be  monitored  in  real  time  and 
even  interrupt  those  that  break  corpo¬ 
rate  policies.  More  common,  however, 
is  after-the-fact  monitoring.  “We  do  a 
postreview,  because  IM  conversations 
are  supposed  to  happen  in  real  time,” 


says  John  Threadgill,  managing  direc¬ 
tor  of  IT  at  Morgan  Keegan  &  Co.  in 
Memphis.  “The  system  checks  for  key¬ 
words,  and  if  one  appears,  the  IM  is 
flagged  and  a  manager  is  notified.” 


56 


Encrypt  messages.  Even 
with  a  gateway  product, 
there  is  still  a  vulnerability:  “What 
happens  to  the  message  when  it’s  out 
on  the  Internet?”  asks  IDC  analyst 
Robert  Mahowold.  Consumer  IM  sys¬ 
tems  store  instant  messages  on  their 
servers  in  clear  text,  which  anyone,  in¬ 
cluding  hackers,  can  read. 

Encryption  is  one  way  to  bridge  this 
security  gap,  although  very  few  compa¬ 
nies  actually  use  it  because  of  its  com¬ 
plexity  and  the  fact  that  many  products 
work  only  if  both  parties  use  the  same 
encryption  software.  Another  ap¬ 
proach,  offered  by  AOL  and  VeriSign 
Inc.,  is  to  certify  instant  messages  sent 
to  partners.  However,  Mahowold  says, 
“it’s  a  payment  level  on  top  of  paying 
for  the  IM  client  and  server.” 


TIP  57 


Hammer  home  your  IM  policy. 

After  closing  what  gaps 
you  can  with  technology,  the  best  safe¬ 
ty  net  is  to  educate  users  on  IM’s  secu¬ 
rity  holes.  One  way  to  do  this  with  an 
IM  gateway  is  to  have  the  system  send 
periodic  reminders  of  IM  policies. 

At  The  Weather  Channel  Interactive 
Inc.  in  Atlanta,  which  uses  Akonix’s  L7 
system,  salespeople  who  use  consumer 
IM  systems  get  a  daily  pop-up  re¬ 
minder,  says  John  Penrod,  a  network 
architect  there.  “We  want  them  to  keep 
in  mind  that  we’re  not  preventing  them 
from  putting  a  dollar  mark  into  an  IM 
but  that  it  would  be  preferable  for 
them  to  think  about  whether  that  com¬ 
munication  should  be  done  in  a  more 
secure  way,”  he  says.  I 


Brandel  is  a  Computerworld  contribut¬ 
ing  writer  in  Grand  Rapids,  Mich.  Con¬ 
tact  her  at  brandels@attbi.com. 


MORE  TIPS  ONLINE 

Companies  share  more  advice  on  locking  down 
instant  messaging: 

OQuickLink  39700 

www.computenworld.com 
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Boost  Your 
Security  Career 

Tips  and  strategies  for  developing 
a  career  in  information  security. 

By  Amy  Helen  Johnson 


CAREERS 


INFORMATION 
security  spe¬ 
cialists  have  it 
a  little  better 
than  other  IT  professionals  in  today’s 
tight  job  market,  but  not  by  much. 
That’s  according  to  Jim  Wade,  senior 
vice  president  and  chief  information 
security  officer  at  financial  services 
firm  KeyCorp  in  Cleveland. 


The  pay  is  slightly  higher,  Wade 
says  —  maybe  10%  more  than  for  other 
IT  positions  at  comparable  levels  — 
and  a  high-quality  candidate,  especial¬ 
ly  in  the  senior-level  ranks,  should 
have  no  problem  finding  interested 
employers. 

To  become  a  top-ranked  information 
security  specialist,  you  have  to  make 
the  right  moves.  Here  are  some  tips  to 


help  you  manage  your  information 
security  career. 


TIP  58 


Get  the  right  certifications, 

says  Wade.  There  are 
three  types:  vendor-  and  technology- 
specific,  skills-based,  and  knowledge- 
based.  You’ll  likely  need  all  three  at 
different  places  in  your  career. 

When  you’re  first  starting,  he  says, 
knowledge  of  a  specific  technology,  like 
firewalls,  is  good  for  operations  jobs. 
The  next  step,  demonstrating  a  skill 
such  as  intrusion-detection  expertise, 
earns  you  entry  into  specific  projects. 
When  you  want  to  move  into  manage¬ 
ment  roles,  a  broad-based  certification, 
like  Certified  Information  Systems 
Security  Professional  (CISSP)  or  Cer¬ 
tified  Information  Security  Auditor,  is 
the  way  to  go.  (Wade  is  also  president 
of  International  Information  Systems 
Security  Certification  Consortium  Inc., 
a  professional  standards  group  for  the 
security  industry  and  the  body  that 
oversees  the  CISSP  test.) 

The  better  certifications  account 
for  the  fact  that  information  security 
is  a  continual  learning  process,  says 
Kerry  Anderson,  vice  president  and 
information  security  officer  at  Boston- 
based  FMR  Corp.,  the  parent  company 
of  Fidelity  Investments.  So  look  for 
ones  that  require  continuing  educa¬ 
tion  credits  to  maintain  your  status. 
They  indicate  that  you  stay  up  to  date 
in  this  changing  field.  Ones  that  re¬ 
quire  you  to  demonstrate  on-the-job 
experience  are  also  more  valuable  to 
employers,  she  says. 
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Consider  earning  a  graduate 
degree  in  information  secu¬ 
rity,  says  Wade.  Look  for  programs  that 
combine  technical  training  with  busi¬ 
ness  strategy  courses;  today’s  security 
professional  has  to  be  as  savvy  about 
corporate  financial  goals  as  he  is  about 
Unix  security  holes.  Two  places  to 
check  out:  Purdue  University  and  Ida¬ 
ho  State  University. 

If  you’re  looking  for  more  academic 
programs,  Anderson  suggests  re¬ 
searching  the  universities  recognized 
by  the  National  Security  Agency  as 
Centers  of  Academic  Excellence  in 
Information  Assurance  Education. 
That  list  is  available  at  www.nsa.gov. 


a 


Increase  your  disaster  recov¬ 
ery  and  risk  management 
skills,  says  Kenneth  Davis,  director  of 
information  security  at  Allstate  Insur¬ 
ance  Co.  in  Northbrook,  Ill.  People 
with  disaster  recovery  skills  are  vital 
to  businesses  because  they  keep  opera¬ 
tions  running  in  an  emergency.  A  need 


for  people  with  risk  management  ex¬ 
pertise  arises  out  of  recent  govern¬ 
ment  regulations  that  require  business¬ 
es  such  as  financial  services  firms  and 
health  care  providers  to  protect  per¬ 
sonal  data. 


TIP  61 


Build  a  home  laboratory,  says 
Tom  Baltis,  manager  of 
risk  management  at  Allstate.  Readily 
available  freeware  or  shareware  ver¬ 
sions  of  many  commonly  used  tech¬ 
nologies  put  such  a  lab  within  the 
means  of  most  people,  he  says.  This 
gives  IT  professionals  the  opportunity 
to  acquire  knowledge  of  the  underlying 
theories  and  uses  of  security  tools  — 
skills  that  transfer  regardless  of  the 
actual  product  used. 


Give  something  back  to  the 
information  security  commu¬ 
nity,  says  Wade.  The  best  way  to  do 
that,  he  says,  is  to  work  with  standards 
bodies  and  professional  organizations 
to  develop  best  practices  and  enhance 
the  common  body  of  knowledge. 


TIP  62 


TIP  63 


Get  on  a  project  working  with 
strategic  partners,  such  as 
vendors,  service  providers  and  cus¬ 
tomers,  Wade  says.  This  gives  you 
valuable  experience  in  an  area  of 
growing  importance:  providing  ade¬ 
quate  levels  of  security  when  the  risks 
arise  from  connecting  to  systems  out¬ 
side  your  infrastructure. 


np  64 


Consider  an  internship  in 
IT  security  if  you’re  still  in 
school,  says  Wade.  Not  only  will  you 
get  practical,  real-world  experience, 
but  you’ll  also  make  valuable  contacts 
for  your  postgraduation  job  search. 

Information  security  jobs  are  every¬ 
where  —  from  Fortune  500  companies 
to  mom-and-pop  businesses  —  and  in 
every  state,  says  Davis.  That  means  you 
have  a  good  chance  of  being  able  to 
find  work  where  you  live.  And  if  you’re 
willing  to  relocate,  the  chances  of  find¬ 
ing  your  dream  job  increase.  I 


EWTOShB  Take  a  second  look  at 
government  jobs,  says 

Wade.  After  losing  many  good  people  to 
higher  salaries  and  better  opportunities  in 
industry,  the  U.S.  government  is  adapting 
its  traditionally  rigid  employment  practices 
to  recruit  and  retain  more  information 
security  professionals. 


Johnson  is  a  Computerworld  con¬ 
tributing  writer.  You  can  reach  her  at 
amy-helen@pobox.com. 


2003  GLOBAL  SFCURITY  SURVEY  BY 
1  TOUCHE  TOHMATSU.  NEW  YORK.  JUNE  2003 


Managing  Wireless  Risks 

Financial  institutions  around  the  world 
have  taken  the  following  steps: 

have  instituted  security 
policies  for  wireless  usage. 


have  scanned  their  networks 
to  identify  rogue  wireless 
networks. 

have  issued  guidelines  to  em¬ 
ployees  for  safer  use  of  Wi-Fi. 

.  Base.  Survey  of  corporate  security  and  IT  managersat 
80  financial  services  companies  worldwide 
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The  A Imanac 


Spyware  Bots: 
They’re  Everywhere 


Patent  Watch 

■  A  method  for  detecting  security  vulnera¬ 
bilities  in  a  Web  application.  Most  scan¬ 
ners  look  for  vulnerabilities  at  the 
network  level,  but  this  one  probes  for 
security  weaknesses  at  the  application 
level.  —  U.S.  Patent  No.  6,584,569, 
issued  June  24.  Inventors:  Eran  Reshef, 
Yuval  El-Hanany,  Gil  Raanan  and  Tom 


Tsarfati,  for  Sanctum  Ltd.  in  Herzelia, 
Israel. 

■  A  “digital  persona”  for  providing  access 
to  personal  information.  An  information 
server  stores  a  person’s  identifying  in¬ 
formation  and  privacy  preferences. 

If  another  computer  requests  the  per¬ 
sonal  data,  the  digital  persona  server 
compares  the  request  with  the  privacy 
preferences  and  either  approves  the 
release  of  the  data  or  denies  the  re¬ 
quest  if  the  conditions  are  unaccept¬ 
able.  —  U.S.  Patent  No.  6,581,059,  issued 
June  17.  Inventors:  Robert  Carl  Barrett 
and  Paul  Philip  Maglio,  for  IBM. 


H  Security  spending  can’t  continue  to  con¬ 
sume  ever-increasing  portions  of  the  IT 
budget.  No  enterprise  can  afford  to  spend  more 
on  insurance  than  on  new  product  development. 
By  2005,  security  groups  that  can’t  demonstrate 
security  effectiveness  metrics  will  experience 
flat  to  declining  IT  security  funding.” 

JOHN  PESCATORE,  ANALYST.  GARTNER  INC. 


Some  of  them  are  innocuous,  just 
tracking  Web  site  visits.  But  “spyware 
bots”  —  software  modules  deposited 
onto  a  PC  without  the  user’s  knowl¬ 
edge  —  are  the  truest  form  of  Trojan 
horses,  says  Jim  Hurley,  an  analyst  at 
Aberdeen  Group  Inc. 

Some  of  these  bots  are  treacherous, 
he  says,  capable  of  hijacking  the 
browser,  capturing  keystrokes,  sniffing 
passwords,  collecting  confidential 
data,  piggybacking  on  telecommunica¬ 
tions  services  and  allowing  outsiders 
to  take  control  of  the  PC. 

Spyware  makes  its  way  into  the  bow¬ 
els  of  the  PC  when  new  software  pack¬ 
ages  are  installed  or  upgraded.  In  addi¬ 
tion,  e-mail  and  Web  portals  contain 
self-installing  spyware  agents,  Hurley 
explains. 

Few  people  know  that  their  PC  is 
riddled  with  spyware  bots,  which  com¬ 
municate  the  information  they  collect 
to  Web  sites.  Neither  antivirus  soft¬ 
ware  nor  firewalls  can  stop  them. 

“Spyware  is  now  on  every  PC  in 
every  home,  corporation  and  govern¬ 
ment  agency  throughout  the  world,” 
Hurley  asserts.  His  recommendation: 
Type  spyware  in  a  Web  search  engine 
and  get  one  of  the  spyware  detection- 
and-elimination  tools  listed  there  to 
find  out  what  sort  of  spies  are  lurking 
in  your  PC. 


Resold  Hard  Drives 
Yield  Private  Data 

MIT  researchers  have  confirmed  that 
many  resold  and  discarded  computers 

—  even  those  with  “erased”  hard  disks 

—  harbor  confidential  data  such  as 
credit  card  numbers  and  medical 
records  that  can  be  readily  recovered. 

Scavenging  through  the  data  left  on 
158  secondhand  disk  drives,  the  re¬ 
searchers  found  more  than  5,000  credit 
card  numbers,  as  well  as  detailed  per¬ 
sonal  and  corporate  records.  One  disk 
apparently  came  from  an  automated 
teller  machine  in  Illinois  and  had  a 
year’s  worth  of  financial  transactions. 

Many  of  the  disk  drives  had  been 
reformatted,  or  the  My  Documents 
folder  had  been  deleted,  but  that  didn’t 
make  the  data  unreadable.  In  all,  only 
12  drives  were  properly  sanitized,  the 
researchers  reported  in  the  journal 
IEEE  Security  and  Privacy. 


Unisys  Suite  Detects 
Criminal  Patterns 

Unisys  Corp.  recently  unveiled  the  Ac¬ 
tive  Risk  Monitoring  System  (ARMS), 
software  that  may  help  banks  spot  pat¬ 
terns  of  seemingly  unrelated  events 
that  add  up  to  potential  fraud,  identity 
theft  or  money  laundering. 

Actimize  Ltd.  in  New  York  provides 
the  underlying  analytics  technology, 
which  monitors  transactions  in  real 
time,  identifies  patterns  of  suspicious 
behavior  and  flags  transactions  accord¬ 
ing  to  predefined  criteria. 

For  example,  suppose  a  criminal 
uses  30  stolen  ATM  cards  in  succes¬ 
sion  to  withdraw  $500  each  time. 

None  of  those  transactions  taken  alone 
would  raise  a  flag,  but  ARMS  can  de¬ 
tect  a  change  in  the  rate  of  transactions 
during  a  certain  time  period  or  spot 
the  increased  number  of  cards  that 
have  never  been  used  at  that  ATM 
before,  Unisys  says. 

—  Paul  Roberts,  IDG  News  Service 


MORE  RESOURCES 


Go  to  our  Security  Knowledge  Center  tor  tutorials 
and  research  links: 

OQuickLink  k1600 

www.computerworld.com 
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Antivirus 


virtual  private  networks 


Intrusion-detection  systems 


Content  filtering/monitoring 


Public-key  Infrastructure 


Biometrics 


An  eclectic  collection  of  research 
and  resources.  By  Mitch  Betts 


See  disparate  data  united. 

See  old  and  new  become  one. 
See  bits  of  data  become  insight. 


Introducing  IBM  DB2  Information  Integrator  -  the  brand-new  software  that  turns  everything  in  its  path  into 
Insight  and  opportunity:  rows  and  columns,  video  and  e-mail,  audio  and  Web.  It  works  wherever  your 
data  lives:  Oracle.  Microsoft  or  IBM.  It  works  in  real  time,  across  platforms:  Linux,  Windows,  UNIX.  Insight 
is  yours.  On  demand.  Faster  than  ever.  For  a  DB2  Information  Integrator  Kit,  visit  ibm.com/db2/integrate 
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Buffer  Overflow 


DEFINITION 

A  buffer  overflow  occurs  when  a  computer  program 
attempts  to  stuff  more  data  into  a  buffer  (a  defined 
temporary  storage  area)  than  it  can  hold.  The  excess 
data  bits  then  overwrite  valid  data  and  can  even  be 
interpreted  as  program  code  and  executed. 


BY  RUSSELL  KAY 

AN  THERE  be  tOO 
much  of  a  good  thing? 
That’s  certainly  true 
for  computer  input. 
Do  an  Internet  search 
on  the  term  buffer  overflow, 
and  you’ll  come  up  with  hun¬ 
dreds  of  thousands  of  links, 
most  related  to  security. 

In  the  National  Institute  of 
Standards  and  Technology’s 
ICAT  index  of  com¬ 
puter  vulnerabilities 
( http://icat.nist.gov ), 
six  of  the  top  10  in¬ 
volve  buffer  overflows. 

In  1999,  the  now-de¬ 
funct  research  firm  Hurwitz 
Group  Inc.  named  buffer  over¬ 
flow  the  No.  1  computer  vul¬ 
nerability.  Four  years  later,  it’s 
still  a  major  problem. 

If  you’ve  ever  poured  a  gal¬ 
lon  of  water  into  a  pint-size 
pot,  you  know  what  overflow 
means  —  water  spills  all 
around. 

Inside  a  computer,  some¬ 
thing  similar  happens  if  you 
try  to  store  too  much  data  in  a 
space  designed  for  less.  Input 
normally  goes  into  a  tempo¬ 
rary  storage  area,  called  a 
buffer,  whose  length  is  defined 
in  the  program  or  the  operat¬ 
ing  system. 

Ideally,  programs  check  data 
length  and  won’t  let  you  input 
an  overlong  data  string.  But 
most  programs  assume  that 
data  will  always  fit  into  the 
space  assigned  to  it.  Operating 
systems  use  buffers  called 
stacks,  where  data  is  stored 
temporarily  between  opera¬ 
tions.  These,  too,  can  overflow. 

When  a  too-long  data  string 
goes  into  the  buffer,  any  ex¬ 


cess  is  written  into  the  area  of 
memory  immediately  follow¬ 
ing  that  reserved  for  the  buffer 
—  which  might  be  another 
data  storage  buffer,  a  pointer 
to  the  next  instruction  or  an¬ 
other  program’s  output  area. 
Whatever  is  there  is  overwrit¬ 
ten  and  destroyed. 

That  in  itself  is  a  problem. 
Just  trashing  a  piece  of  data  or 
set  of  instructions  might  cause 
a  program  or  the  oper¬ 
ating  system  to  crash. 
But  much  worse  could 
happen.  The  extra  bits 
might  be  interpreted 
as  instructions  and  ex¬ 
ecuted;  they  could  do  almost 
anything  and  would  execute  at 
the  level  of  privilege  (which 
could  be  root,  the  highest  lev¬ 
el)  assigned  to  that  particular 
memory  area. 

Bad  Programming 

Buffer  overflow  results  from  a 
well-known,  easily  understood 
programming  error.  If  a  pro¬ 
gram  doesn’t  check  for  over¬ 
flow  on  each  character  and 
stop  accepting  data  when  its 
buffer  is  filled,  a  potential 
buffer  overflow  is  waiting  to 
happen.  However,  such  check¬ 
ing  has  been  regarded  as  un¬ 
productive  overhead  —  when 
computers  were  less  powerful 
and  had  less  memory,  there 
was  some  justification  for  not 
making  such  checks.  Moore’s 
Law  has  removed  that  excuse, 
but  we’re  still  running  a  lot  of 
code  written  10  or  20  years 
ago,  even  inside  current  re¬ 
leases  of  major  applications. 

Some  programming  lan¬ 
guages  are  immune  to  buffer 
overflow:  Perl  automatically 


resizes  arrays,  and  Ada95  de¬ 
tects  and  prevents  buffer  over¬ 
flows.  However,  C  —  the  most 
widely  used  programming  lan¬ 
guage  today  —  has  no  built-in 
bounds  checking,  and  C  pro¬ 
grams  often  write  past  the  end 
of  a  character  array. 

Also,  the  standard  C  library 
has  many  functions  for  copy¬ 
ing  or  appending  strings  that 
do  no  boundary  checking.  C++ 
is  slightly  better  but  can  still 
create  buffer  overflows. 

Cracker’s  Choice 

Buffer  overflow  has  become 
one  of  the  preferred  attack 
methods  for  writers  of  viruses 
and  Trojan  horse  programs. 
Crackers  are  adept  at  finding 
programs  where  they  can 
overfill  buffers  and  trigger 
specific  actions  running  under 
root  privilege  —  say,  telling 
the  computer  to  damage  files, 
change  data,  disclose  sensitive 
information  or  create  a  trap¬ 
door  access  point. 

In  July  2000,  it  was  discov¬ 
ered  that  Microsoft  Outlook 
and  Outlook  Express  let  at¬ 
tackers  compromise  target 
computers  simply  by  sending 
e-mail  messages.  No  one  even 
had  to  open  a  message;  as 
soon  as  the  user  downloaded 
the  message,  message-header 
routines  went  into  action  — 
with  unchecked  buffers  that 
could  overflow  and  trigger 
code  execution.  Microsoft  has 
since  created  a  patch  that 
eliminates  the  vulnerability.  > 


Kay  is  a  Computerworld 
contributing  writer  in  Worces¬ 
ter,  Mass.  Contact  him  at 
russkay@charter.net. 


EXPLOITING  A  BUFFER  OVERFLOW 


1)  Our  function  is  using  a  buffer  240  bytes  long,  which 
happens  to  be  located  at  memory  address  00000077. 

Buffer  address  (8  bytes) 00000077 


Buffer  contents  (240  bytes) 

[blank] 

Old  base  pointer  (8  bytes) 

12345678 

Return  instruction  pointer  (8  bytes) 

00410000 

2)  As  it  executes,  the  function  begins  to  fill  the  buffer  with  A’s. 

Buffer  address  (8  bytes) 

00000077 

Buffer  contents  (240  bytes) 

AAAAAAAAAAAAAAAA . . . 

Old  base  pointer  (8  bytes) 

12345678 

Return  instruction  pointer  (8  bytes) 

00401000 

3)  After  240  bytes,  the  buffer  is  full.  All  subsequent  bytes 

overflow  into  the  next  memory  area,  overwriting  the  old  base 

pointer  and  the  return  instruction  pointer. 

Buffer  address  (8  bytes) 

00000077 

Buffer  contents  (240  bytes) 

AAAAAAAAAAAAAAAA... 

Old  base  pointer  (8  bytes) 

AAAAAAAA 

Return  instruction  pointer  (8  bytes) 

AAAAAAAA 

4)  Now  suppose  that  instead  of  just  writing  A’s, 

the  function  inserts  malicious  code. 

Buffer  address  (8  bytes) 

00000077 

Buffer  contents  (240  bytes) 

This  is  evil  code. . . . 

Old  base  pointer  (8  bytes) 

12345678 

|  Return  instruction  pointer  (8  bytes) 

40100000 

5)  After  the  buffer  is  filled  with  the  malicious  code, 

the  old  base  pointer  is  overwritten. 

Buffer  address  (8  bytes) 

00000077 

|  Buffer  contents  (240  bytes) 

This  is  evil  code. . . . 

1  Old  base  pointer  (8  bytes) 

xxxxxxxx 

1  Return  instruction  pointer  (8  bytes) 

00401000 

6)  Then  the  return  instruction  pointer  is  rewritten,  not 
with  random  values  but  with  the  address  of  the  buffer  itself, 
which  now  contains  malicious  code.  (The  address  can  usually 
be  determined  by  trial-and-error  experimentation.) 


Buffer  address  (8  bytes) 00000077 


Buffer  contents  (240  bytes) 

This  is  evil  code. ...  1 

Old  base  pointer  (8  bytes) 

xxxxxxxx  1 

Return  instruction  pointer  (8  bytes) 

00000077  1 

7)  After  the  buffer  is  filled,  the  program  will  go  to  the 
location  referenced  by  the  instruction  pointer  and  thus 

begin  to  execute  the  malicious  code. 

ONLINE  RESOURCES 

For  a  listing  of  online  resources  related  to 
buffer  overflows,  visit  our  Web  site: 

QuickLink  39498 
www.computerworid.com 


Are  there  technologies  or  issues  you'd  like 
to  learn  about  in  QuickStudy?  Send  your 
ideas  to  quickstudy@computerworid.com 

To  find  a  complete  archive  of  our 
QuickStudies,  go  online  to 


#1 


See  old  apps  combine  with  new  apps 
See  customers  connect  with  partners 
See  today’s  stuff  click  with  tomorrow's. 


Can  you 


: 


WebSphere  Business  Integration  is  far  and  away  the  leading  integration  software  for  the  on  demand 

era  -  “■  — - — a" of  -  “ 
processes.  WebSphere  delivers  an  infrastructure  that  quickly  responds  to  change,  meeting  business 

demands,  on  demand.  For  an  Integration  InfoKit  and  case  studies,  visit  ibm.com/websphere/seeit 


IBM,  WebSphere,  the  e-business  logo  and  e-business  on  demand  are  registered  trademai 
countries.  Certain  information  contained  within  this  advertisement  is  based  on  results  ol  the  Vi 
2003  IBM  Corporation  All  rights  reserved. 


i<  marks  of  International  Business  Machines  Corporation  in  the  United  Stales  and/or  other 
lerGrOen  Study  Application  Integration  Executive  Summary  2003  2003  WinterGieen  Research,  Inc. 
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The  Next 
Chapter 

Predictions:  A  Web  services  security 
breach  will  wreck  the  supply  chain. 
And  stolen  fingerprints  or  eye  scans 
will  thwart  biometric  systems. 


■  BYE-BYE  INCOMPETENTS 

The  fakers,  charlatans  and  incompe¬ 
tents  will  be  purged  from  the  IT  secu¬ 
rity  industry.  In  three  years,  40%  of  the 
current  gaggle  of  alleged  security  pro¬ 
fessionals  will  leave  the  industry  — 
some  to  other  professions,  many  to 
prison  for  egregious  misrepresentation 
of  their  skills.  By  that  time,  the  Depart¬ 
ment  of  Homeland  Security  will  have 
mandated  that  all  IT  security  profes¬ 
sionals  must  pass  a  skills  certification 
test  run  by  the  U.S.  military  academies. 

■  Thornton  May,  management  consul¬ 
tant  and  futurist,  Biddeford,  Maine 


■  XML  CATASTROPHE 

In  the  next  two  years,  there  will  be  a 
major  XML  Web  services  security 
breach.  The  consequences  will  be 
much  more  severe  than  the  defaced 
Web  sites  and  stolen  credit  cards  that 
caused  mostly  embarrassment  in  the 
early  days  of  e-commerce.  Instead, 
automated  production  lines  will  grind 
to  a  halt,  company  bank  accounts  will 
be  emptied,  100-company-long  supply 
chains  will  break,  and  the  most  propri¬ 
etary  corporate  data  may  be  disclosed. 
S3  Eugene  Kuznetsov,  chairman  and  chief 
technology  officer,  DataPower  Technol¬ 
ogy  Inc.,  Cambridge,  Mass. 


■  ATTACKS  GET  SPEEDIER 

As  attacks  grow  more  professional  in 
nature,  we’ll  see  an  even  greater  in¬ 
crease  in  the  speed  of  threats.  For  in¬ 
stance,  “flash  worms”  would  operate 
under  the  premise  that  a  determined 
hacker  could  have  obtained  a  list  of  all 
(or  almost  all)  of  the  servers  open  to 


the  Internet  in  advance  of  the  release 
of  the  worm.  Such  an  attack  could  in¬ 
fect  all  vulnerable  servers  on  the  Inter¬ 
net  in  less  than  30  seconds.  Protecting 
against  these  threats  will  require  new, 
proactive  technologies,  including  be¬ 
havior  blocking,  anomaly  detection 
and  new  forms  of  heuristics. 

■  Rob  Clyde,  CTO,  Symantec  Corp., 
Cupertino,  Calif. 


■  OFFSHORE  TERRORISTS 

Next  year,  a  “sleeper  cell”  terrorist 
group  will  infiltrate  the  offshore  pro¬ 
gramming  industry  and  be  identified 
as  the  cause  of  a  widespread  worm 
that  will  have  been  injected  in  the  code 
of  a  widely  used  software  product. 

■  Tari  Schreider,  director  of  the  security 
practice,  Extreme  Logic  Inc.,  Atlanta 


■  NEW  ORGANIZATIONAL  CHART 

Public  and  private  companies,  in  large 
numbers,  will  merge  physical  and  data 
security.  They’ll  unify  these  two  inde¬ 
pendent  groups  on  the  organizational 
chart  and  convert  physical  access-con¬ 
trol  systems  from  stand-alone  systems 
to  network-enabled  systems  that  con¬ 
vert  physical  access  activity  into  net¬ 
work  data.  This  data  about  physical  ac¬ 
cess  will  be  correlated  with  IT  activity 
reports  to  provide  early  detection  and 
warning  of  security  breaches. 

■  Joel  Rakow,  partner,  Tatum  Partners, 
Los  Angeles 


■  SURGICAL  STRIKES 

Three  or  four  years  ago,  hackers  were 
taking  a  haphazard,  shotgun  approach 
to  Internet  attacks,  but  now  they’re  us¬ 


ing  their  tools  to  penetrate  very  spe¬ 
cific  and  lucrative  targets,  especially 
enterprise  networks  containing  valu¬ 
able  intellectual  property.  These  highly 
targeted  attacks  are  on  the  rise,  each 
one  more  intelligent  and  harmful  than 
the  last.  By  2005,  targeted  attacks  will 
account  for  more  than  75%  of  corp¬ 
orate  financial  losses  from  IT  security 
breaches. 

In  the  next  two  years,  companies 
will  need  to  build  much  stronger  and 
more  intelligent  defenses  around  every 
network  endpoint  touching  sensitive 
information,  instead  of  depending  on 
general  perimeter  security. 

■  Gregor  Freund,  CEO,  Zone  Labs  Inc., 
San  Francisco 


■  HORSES  AND  LOGGERS  THREAT 

By  the  end  of  2003,  Trojan  horses  and 
keystroke  loggers  will  overtake  viruses 
as  the  greatest  threat  to  PC  users.  We’ll 
see  countless  malicious  attacks  each 
month  —  and  most  will  initially  go  un¬ 
detected,  causing  companies  to  lose 
millions  of  dollars.  This  problem  will 
be  made  worse  by  the  proliferation  of 
wireless  laptops  and  other  mobile  de¬ 
vices,  which  provide  hackers  with  a 
back  door  for  infiltrating  enterprise 
networks. 

■  Pete  Selda,  CEO,  WholeSecurity  Inc., 
Austin 


■  STOLEN  FINGERPRINTS 

Biometrics  is  perceived  as  the  ultimate 
in  security,  but  what  does  somebody 
do  once  their  bioprint  is  stolen?  With¬ 
in  three  years,  hackers  will  have  all 


sorts  of  scanned  fingerprints,  retinal 
patterns,  etc.,  and  these  will  be  used  to 
bypass  biometric  network  security. 
When  your  credit  card  is  stolen,  you 
phone  Visa  and  have  a  new  card  is¬ 
sued.  When  your  bioprint  is  stolen,  do 
you  call  God  and  ask  for  a  new  set  of 
fingerprints  or  eyes? 

■  Malcolm  MacTaggart,  president 
and  CEO,  CryptoCard  Corp.,  Kanata, 
Ontario 


■  OUTDATED  SIGNATURES 

Behavioral-anomaly-based  technology 
will  replace  traditional  signature-based 
methods  to  prevent  damage  from 
viruses,  worms  and  Trojan  horses  over 
the  next  three  to  five  years. 

■  Jeff  Platon,  senior  director  of  security 
marketing,  Cisco  Systems  Inc. 


■  FIRING  THE  CLUELESS 

P.T.  Barnum  knew  that  a  sucker  was 
born  every  minute.  Since  most  cyber 
risk  is  directly  attributable  to  insider 
activity,  including  the  social  engineer¬ 
ing  of  digital  dullards,  a  renewed  focus 
on  background  checks  is  necessary. 
The  chief  security  officer  of  the  fu¬ 
ture,  working  with  the  HR  chief,  is  go¬ 
ing  to  find  and  fire  digital  “suckers” 
before  their  dimness  puts  the  enter¬ 
prise  at  risk. 

■  Thornton  May 


MORE  PREDICTIONS 

Expect  to  see  a  U.S.  Cyber  Corps,  secure  e-mail  and 
tougher  federal  security  regulations: 

QuickLink  39538 
www.computerworld.com 


little  Blue 

The  SmartPrint  TruBlue,  from 
Labcal  Technologies  Inc.  in  Que¬ 
bec  City,  combines  fingerprint  bio¬ 
metric  technology  with  a  smart- 
card  authentication  reader.  The 
goal  of  this  hybrid  device  is  to 
eliminate  those  pesky,  complicat¬ 
ed  passwords.  It  plugs  into  a  com¬ 
puter’s  Universal  Serial  Bus  port. 

-  Mitch  Betts 


COMPUTERWORLD 


PREMIER 


JX7V7 

IT  LEADERS  2004 


Nominate  an 
outstanding  IT  leader 
for  Computerworld’s 
Premier  100  IT  Leaders 
2004 Awards  program 


EACH  YEAR,  Computerworld  editors  conduct  a  nationwide  search  for 
IT  managers  and  executives  who  show  technology  leadership  in  their 
organizations.  This  prestigious  awards  program  recognizes  and  honors 
IT  professionals  from  a  wide  range  of  industries,  drawing  attention  to  the 

innovative,  business-critical 
work  they  do. 

ELIGIBLE  NOMINEES  include 
CIOs,  CTOs,  senior  vice  presi¬ 
dents,  VPs,  IT  directors  and 
managers  from  user  compa¬ 
nies,  nonprofits,  the  computer 
industry  and  the  private  sector. 

HONOREES  will  be  announced 
in  Computerworld’ s  Jan.  5, 
2004,  issue  and  be  our  guests 
at  the  5th  Annual  Premier  100 
IT  Leaders  Conference,  on 
March  7-9, 2004,  in  Palm 
Desert,  Calif. 


Who  Qualifies? 


IT  managers  and 
executives  who 

■  Effectively  manage  IT  and 
business  strategies 

■  Envision  innovative 
approaches  to  business 
problems 

■  Foster  great  ideas  and 
creative  work  environments 

■  Excel  at  vendor  and  supplier 
management 

■  Take  calculated  risks  and 
learn  from  failure 


The  deadline  for  all  nominations  is  this  Friday,  July  18. 

Go  online  to  nominate  at  computerworld.com/p100nominations  or  O  Quicklink  a3420 
Questions?  Contact  us  by  e-mail  at  premier100@computerworld.com. 


Lead  Software  Development  En¬ 
gineer  (Denver)  -  Lead  in  the 
team  effort  to  design,  develop, 
code,  test  &  debug  new  complex 
software/make  significant  en¬ 
hancements  to  existing  complex 
software  using  knowledge  of 
C/C++,  Java,  SQL;  UML,  SCM; 
Oracle,  PL/SQL,  Pro*C;  client- 
server  programming  &  database 
design;  &  Unix  programming. 
Lead  review  of  input  for  docu¬ 
mentation  of  new/existing  soft¬ 
ware.  Apply  existing  &  introduce 
new  &  approved  technologies  to 
develop  solutions  using  C/C++, 
PL/SQL,  rule-based  systems  on 
a  Unix  platform.  Lead  others  in 
the  application  of  principles,  the¬ 
ories  &  concepts  &  use  of 
methodologies,  tools,  documen¬ 
tation  processes  &  test  proce¬ 
dures  to  complete  projects  in¬ 
cluding  Magic  Solutions  &  other 
business  process  automation 
applications.  BS  Comp  Sci,  Eng, 
or  related.  5  yrs.  related  experi¬ 
ence,  $93, 800/year,  M-F  8-5, 
detailed  working  knowledge  of: 
C/C++/Java/SQL,  UML,  SCM 
design/development  tools,  Orac¬ 
le,  PL/SQL,  Pro*C,  Client-server 
programming,  Unix  program¬ 
ming.  Application  by  resume 
only  to  CODOL,  Two  Park 
Central,  Suite  400,  1515 

Arapahoe  Street,  Denver,  CO 
80202;  Ref  job  CO5049367. 


IT  Positions:  (St.  Louis,  MO): 
Programmer  Analyst:  Develop  multi 
-tier  busi./mgmt  info  syst.  and  per¬ 
form  data  modeling/recon. in  AS/ 
400/ILE  environ,  using  00,  CL  pro¬ 
gram.,  RPGIV,  PDM,  RUL,  SDA, 
and  SQL400. 

Test  Analyst:  Complete  testing  life 
cycle  of  GUI/Web-based  appls.  w / 
test  scripts  using  SQA  /Rational 
Robot,  setup  data  on  AS/400  and 
testing  populated  data  in  Informix 
db  on  UNIX  w/  SQL  query,  post 
beta  release  issues  and  QA 
process. 

DBA:  Design/implement  terabyte- 
size  relational  Informix  db  on  HP- 
Unix,  SUN  Solaris  &  IBM-AIX;  db 
structures/objects/logic  design;  RD¬ 
BMS  backup/recovery  strategy; 
tuning/security  w /  Informix  4GL, 
VERITAS  Netbackup,  Shell  scripts, 
C,  and  ESQL/C. 

Require  BS/BA  or  the  equivalent  in 
Comp.  Sc.,  Engr.  MIS.  or  in  a  close¬ 
ly  related  field. (will  accept  equ. 
exp.)  plus  min. 6  mon.  exp.  in 
offered/related  position,  and  must 
be  able  to  perform  all  the  duties  on 
the  day  of  employment.  Full  time/ 
competitive  salary.  Resume  to: 
Crawford  Group.  Inc.  at 
spiatt@erac.com  Include 
"ComputerWorld"  in  the  subject 
line.  NOCALL/EOE. 


Software  Dev  Co.  req.  Software 
Engr.,  Duties  incl :  Take  an  active 
role  in  the  development  and 
maintenance  of  Object  oriented 
multi-threaded  SCADA  software. 
Software  Engineer  will  develop 
software  requirements  specifica¬ 
tions,  functional  specifications, 
software  design  documents  and 
test  documents.  Design  develop 
and  implement  ladder  logic  and 
device  driver  using  MODBUS, 
SNP-X,  IEC  870  protocol  for  PLC. 
Knowledge  of  GUI  implementa¬ 
tions  is  required  for  both  the 
designing  and  debugging  of  code 
using  VC++.  Perform  database 
design,  develop,  maintain  and 
implement  database  scripts, 
stored  procedure  and  triggers  for 
SQL-Server  and  MS-ACCESS. 
On-site  implementation  of  HMI 
software.  Job  to  be  performed  at 
Frederick  .  MD,  and  at  various 
unanticipated  client  sites  through¬ 
out  the  U  S.  Resp.  to  IT  Director, 
Engineenng  Systems  Solutions. 
Inc.  5726  Industry  Lane, 
Frederick,  MD  21704. 


Senior  Software  Engineer 

Develop  complex,  multi-tiered  ap¬ 
plications,  especially  Internet  ap¬ 
plications  &  to  design  &  trouble¬ 
shoot  at  all  stages  of  development. 
Interact  w/customer  to  understand 
&  deal  w/any  potential  complica¬ 
tions  or  special  requirements.  In 
developing  application,  must  for¬ 
mulate  &  develop  application  de¬ 
sign  using  object  oriented  analysis 
&  design  techniques,  develop  & 
deploy  design  under  operating 
systems  UNIX  or  NT,  as  well  as 
conduct  application  engineering  & 
assist  customers  in  writing  applica¬ 
tions  using  assorted  tools.  Posi¬ 
tion  requires  extensive  amount  of 
travel  in  N.  American  region. 

Rqrs:  MS  in  CS,  Engineering,  or 
related  or  equivalent.  A  BS  w/5 
years  of  post-baccalaureate  pro¬ 
gressive  experience  will  substitute 
for  a  Master's  degree.  Requires 
extensive  knowledge  in  server  side 
Java  or  C++;  extensive  knowledge 
in  developing  in  UNIX  or  NT;  ex¬ 
tensive  knowledge  in  development 
using  object  oriented  analysis  & 
design  techniques;  knowledge  of 
J2EE  standards,  including  EJB, 
JSP,  Servlet  Programming,  JNDI, 
&  JBDC;  knowledge  of  e-com¬ 
merce  projects;  knowledge  in 
XML;  &  knowledge  of  directory  ser¬ 
vices.  8:30a. -5:30p.  40  hrs/wk. 
$115,000/yr.  Submit  2  resumes  to 
Case  #  200200417,  Labor  Ex¬ 
change  Office,  19  Stamford  St,  1st. 
fl.,  Boston  MA  02114. 


Software  Engineer 

Must  design  &  develop  complex 
enterprise/distributed  systems 
for  the  Internet  using  Java,  sup¬ 
porting  technologies  &  tools; 
analyze  software  requirements 
to  determine  feasibility  of  design 
within  time  &  cost  constraints; 
assist  in  planning,  development, 
&  modification  of  any  existing 
application;  develop  &  direct 
software  system  testing  proce¬ 
dures,  programming  &  docu¬ 
mentation;  &  consult  with  cus¬ 
tomer  concerning  issues  of  a 
software  system.  Rqrs:  BS  in 
CS,  E,  or  related  w/2  years  soft¬ 
ware  industry  experience.  Rqrs 
experience  in  Java  Program¬ 
ming  Language;  real-world  ex¬ 
perience  designing  &  building 
Multi-Tier  enterprise  applica¬ 
tions,  Object-oriented  design,  & 
relational  databases;  &  experi¬ 
ence  w/either  weblogic  applica¬ 
tion  server  or  IBM’s  websphere 
Application  server.  Good  com¬ 
munication  skills  are  a  must. 
1 0:00a. -6:00p.  40  hrs/wk. 

$74,000/yr.  Submit  2  resumes 
to  Case  #  200201855,  Labor 
Exchange  Office,  19  Staniford 
St,  1st.  fl.,  Boston  MA  02114. 


Prog/Analysts  to  -  analyze, 
design,  test  client  server/web 
appls  with  OOAD  methodologies 
using  Java,  VB,  EJB,  Servlets, 
J Script,  XML,  HTML.  Oracle, 
SQL,  JDBC,  Access,  Weblogic, 
etc  in  Windows  OS;  analyze 
business  processes,  determine 
reqs,  generate  reports;  docu¬ 
ment,  maintain,  debug,  test,  per¬ 
form  code  optimization;  OR  - 
analyze,  develop,  maintain  s/w 
appls  using  Oracle  Appls, 
Oracle,  PL/SQL,  Dev  2000,  etc 
under  Windows/UNIX  OS;  con¬ 
duct  functional  testing/debug; 
perform  data  conversions,  cus¬ 
tomize  Forms/Reports  using 
Oracle  Appls  standards;  docu¬ 
ment,  maintain  &  update  dev 
process.  Require:  BS  or  for¬ 
eign  equiv.  in  CS/Engg  (any 
branch)  or  related  field  &  2yrs 
exp.  in  IT.  High  salary.  Travel 
involved.  F/T.  Resume  to:  HR, 
Bahwan  Cybertek  Tech¬ 
nologies,  Inc.,  209  West  Central 
Street,  Ste  312,  Natick,  MA 
01760. 


ASP  Web  Dvlpr  wanted  by 
Multi-Nat’l  Mktg  &  Ad  Co.  in 
Detroit.  Oversee  prgmng  for 
database  web  projects  using 
ASP;  review  site  specs,  meth¬ 
ods  &  technology;  ensure  pro¬ 
ject  deliverables  are  complet¬ 
ed  to  standard;  create  appli¬ 
cations  to  support  multi-plat- 
form  deployment;  trouble¬ 
shoot;  eval/specify  hardware; 
mng  systs  interface.  Bach  in 
Comp  Sci  or  Engineering  & 
2yrs  in  job  offered  req.  Re¬ 
spond  to:  HJ/HR  Dpt,  PO  Bx 
4241,  GCS,  NY  10163. 


Sr.  Software  Engineer  (with 
Bachelors  degree  and  5  years 
experience)  -  West  Chester, 
OH.  Job  entails  and  requires 
experience  in  design  and 
development  of  applications 
using,  Oracle,  Visual  Basic,  12 
Demand  Planner,  PL/SQL, 
Perl  Script  and  Unix. 
Relocation  within  USA  possi¬ 
ble.  Attractive  compensation 
package.  Send  resume  to 
Catherine  Fanucchi,  SDG 
Corporation.  65  Water  Street 
Norwalk,  CT  06854. 


BitsOfCode  Software  Sys¬ 
tems,  Inc.  (Katy,  TX)  is  seek¬ 
ing  System  Analysts.  6  mon. 
exp.  using  C#,  C++,  C,  Java, 
TIBCO,  FIX,  FiXML,  XML/ 
XSLT/DHTML,  J2EE/Swing, 
TOPS  Financial  Modules, 
Reuters/Tibco  Market  Feeds, 
JRun,  COM/DCOM/ActiveX, 
JNI,  JDBC,  Excel  VBA,  Or¬ 
acle,  SQL,  Javelin  Appia,  B2B 
Fix,  JBuilder  and  Weblogic. 
B.S.  required.  Send  resume 
to  22523  Westbrook  Cinco 
Ln,  Katy,  TX  77450.  888-423- 
4993(F)/281  -693-2633(T). 
Attn:  Joseph  Koothrappally. 


System  Admins,  to  analyze, 
design/develop  appls  using 
Lotus  Notes,  Lotus  Script, 
JScript,  HTML,  XML,  Oracle, 
MS  SQL  Server,  etc.  under 
UNIX/Windows  OS;  install, 
administer/configure  Lotus 
Notes  R4/R5,  Domino  R6, 
Windows  NT;  maintain  backup, 
schedule  maintenance,  adminis¬ 
ter  user  accounts,  provide  user 
support  for  network  problems. 
Require:  B.S.  or  foreign  equiv  in 
CS/Engg(any  branch)  with  2  yrs 
exp  in  system  admin.  High 
Salary.  F/T.  Travel  involved. 
Resume  to:  HR,  Salem 
Associates,  Inc.,  405,  6th  Ave., 
Ste  102,  Des  Moines,  IA  50309. 


Computers  -  Citigroup,  Inc. 
(Stamford,  CT)  seeks  Software 
Engineers/Developers,  Prog. 
Analysts/Admins,  Project  Mgrs,  DB 
Architects,  QA  Engineers  w/BS  or 
MS  in  Comp.  Sci,  Engineering, 
Math,  IT  Electronics,  CIS,  MIS,  Bus. 
Admin,  or  related  quantitative  field 
or  equiv.  combo,  of  work  exp.  & 
educ.,  &/or  exp.  in  any  above  or 
similar  positions.  Exp.  in  any  of  the 
following:  UNIX,  AIX,  Sun/Solaris, 
PL/SQL,  Sybase,  Oracle,  C++, 
ProC,  VB,  ASP,  Visual  Interdev, 
Java,  JavaScript,  Oracle,  Netscape, 
MS,  IIS,  Shell  Scripting,  HTML,  Fox 
Pro,  Perl,  Windows  NT,  Networking, 
Security  tools,  QC,  Encryption 
Tools,  CASE  tools,  e-Commerce 
technologies.  Forward  resume  to 
Attn:  DT,  100  First  StamfordPlace, 
Stamford,  CT  06902.  No  calls  or 
faxes,  please,  EOE.  M/F/D/V. 


Applications  Systems  An¬ 
alyst  wanted  by  Lux  Resort 
&  Casino  in  FL.  Analyze, 
design/redesign,  dvlp  & 
support  internet  initiatives 
&  web  pgs;  install  &  sup¬ 
port  server;  work  w/team  to 
dvlp  corp  intranet;  dvlp 
custom  appl  based  inter¬ 
faces.  Bach  in  Comp  Sci  & 
2yrs  exp  in  job  offered  req. 
Respond  to:  Recruitment 
Mngr/Kerzner,  1000  S  Pine 
Island  Rd,  Plantation,  FL 
33324. 


■  Kama  Consulting  Inc. 
TOP  $$'s,  W2  or  1099 

We  are  a  fast  growing 
Consulting  company  based 
in  New  Jersey. 
Excellent  opportunities  for 
Programmers, 

Systems  Analysts,  DBAs. 

Sun  Solaris  System  Admins, 
Natural,  Webshere, 
ADABAS,  ORACLE,  SYBASE, 
PROGRESS,  COBOL,  C++ 
TCP/IP,  Delphi/VB,  Windows  NT 

Send  your  resume  to 
Rod  McFadden 
Kama  Consulting 
Fax:  704-896-9660 
Email:  rod@kamaco.com 


PROGRAMMER  ANALYSTS  for 
Mt.  Prospect,  IL  office.  Develop 
&  maintain  software  applications 
using  Oracle,  SQL  Server,  Er¬ 
win,  Linux,  Sybase,  XML,  UML, 
Interwoven,  Coolgen,  Clear- 
Case,  ClearQuest,  Plumtree, 
PVCS,  UNIX.  Bachelors  Degree 
reqrd  in  Computers,  Engin¬ 
eering,  Math  or  related  field  of 
study  +  2yrs  of  related  exp.  40 
hrs/wk;  Must  have  legal  authori¬ 
ty  to  work  permanently  in  the 
US.  Send  resume  to  HR 
Manager,  Magnum  Technol¬ 
ogies,  Inc.  1000  Arbor  Court,  Mt. 
Prospect.  IL  60056. 


Paradigm  Infotech  is  looking  for 
programmer/system  analysts, 
s/w  engineers.  Candidate  must 
have  BS  with  at  least  one-year 
IT  experience.  Good  skills  in 
C/C++,  Java,  Oracle,  WebLogic, 
VB,  HTML,  ERP  are  plus. 
Traveling  is  required.  Apply 
jobs@paradigminfotech.com. 
EOE 

Synova  Inc  is  seeking  profes¬ 
sionals  with  following  skills: 
Programmer/System  Analysts, 
Engineers  in  Mainframe,  Web 
Tech,  Technical/functional  (SAP 
&  Peoplesoft),  Java,  VB, 
Rational/RUP,  UML,  J2EE,  Unix 
DBA,  Oracle,  SQL  DBAs. 
Respond  to: 
ads@synovainc.com 


System  Analyst  wanted  to 
analyze  data  processing 
problems  for  application  to 
electronic  data  processing 
systems;  analyze  user  re¬ 
quirements,  procedures, 
and  problems  to  automate 
or  improve  existing  sys¬ 
tems,  and  related  duties. 
BS  in  CS  or  in  Electrical 
Eng.  2  yrs  exp  Required. 
Send  resume  to  Advanced 
Control  Systems  Corp.,  35 
Corporate  Park  Dr., 
Pembroke,  MA  02359. 


Sr  Software  Engineer 
(Monrovia,  MD)  for 
s/ware  product  co. 
Reqs:  Bach  degree  in 
Comp  Sci/Comp  Eng 
or  EE  &  5  yrs  exp  in 
job  offrd  or  relatd. 
Send  resume  to: 
Qovia  Inc.,  4937-D 
Green  Valley  Rd,  Unit 
4,  Monrovia,  MD 
21770,  attn:  Lance  C. 


Engineering  Programmer 
sought  to  convert  engi¬ 
neering  formulations  into 
computer  programs  to  be 
used  for  oil  drilling  equip¬ 
ment.  Program  and  cus¬ 
tomize  drilling  rig  systems 
to  meet  the  clients'  needs, 
and  perform  related 
duties.  B.S.  in  Computer 
Science  and  experience 
required.  Send  resume  to 
EMER  International,  Inc., 
19424  Park  Row,  Suite 
104,  Houston,  TX  77084. 


THE  WOE  I  !  )’S  BEST 
IT  TOOL  IS  IN 
YOUR  HANDS. 


THE  wor:  its  best 

IT  TALENT  IS  AT 
OUR  SITE. 

\\  II  T  ELSE  WOULD  YOU 
EXPECT  FROM  THE  ONE  AND 
ONLY  CAREER  RESOURCE 
FOR  READERS  OF 
COMPUTERWORLD, 
INFOWORLD  AND 
N  ET  WO  R  K  WO  R 1  D  ? 


COME  ON, 

RECRUIT  OUR  READERS 
AN  YOU’LL  RECRUIT 
LESS  1  IL 

www.itca  r  e  e  r  s .  c  o  m 
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Programmers  to  analyze, 
design,  test  data  warehousing  / 
data  mart,  software  appls  and 
ETL  tools  like  Informatics  and 
Cognos,  Oracle,  MS  SQL 
Server,  Dev  2000  under 
Windows  OS  OR  analyze, 
design  buss./scientific  appls 
using  SAP  R/3,  ABAP,  VB, 
Oracle,  SQL  Server  on  UNIX/ 
Windows  envir.;  gather  and  doc¬ 
ument  reqs  from  user  communi¬ 
ty;  test/troubleshoot  project 
appln  code  according  to  system 
objectives.  Require:  B.S.  or  for¬ 
eign  equiv.  in  CS/Engg.  (any 
branch)  and  6  months  exp  in  IT. 
In  lieu  of  BS,  3yrs  of  academic 
studies  towards  a  Bachelors 
plus  1  yr  of  exp  in  IT  will  be 
acceptedHigh  salary.  Travel 
involved.  F/T.  Respond  to: 
Smartsoft  International,  Inc., 
4898,  South  Old  Peachtree  Rd., 
Ste  200,  Norcross,  GA  3007 1 . 


ComSpec  International  is  look¬ 
ing  for  system/programmer  ana¬ 
lysts.  Duties  include  design  test 
data  and  test  plan,  use  Uniface, 
Oracle,  Access  XP,  Crystal 
Report.  Qualified  applicants 
must  have  BS  with  exp  as  soft¬ 
ware  developer.  Please  contact 
R.Brender@comspec-intnl.com. 
EOE. 

Corpus  has  multiple  openings 
for  IT  professionals.  Following 
skills  preferred:  Oracle,  SQL, 
PL/SQL,  COBOL,  C/C++,  VB, 
SAP,  Java,  XML,  ERP,  ASP,  NT, 
XSL.  Minimum  BS  degree. 
Traveling  is  required  for  some 
positions.  Please  send  resumes 
to  info@corpuslnc.com.  EOE. 


Seeking  qualified  applicants  for 
the  following  positions  in 
Memphis,  TN:  Senior  Systems 
Programmer.  Devise  proce¬ 
dures  to  solve  complex  systems 
and  applications  problems. 
Requirements:  Bachelor's  deg¬ 
ree"  in  computer  science,  MIS, 
engineering  or  related  field  plus 
5  years  of  experience  in  sys¬ 
tems  programming.  Experience 
with  UNIX,  C  and  logistics  code 
development  also  required. 
"Master's  degree  in  appropriate 
field  will  offset  2  years  of  gener¬ 
al  experience.  Submit  resumes 
to  Sibi  George,  FedEx 
Corporate  Services,  1900 
Summit  Tower  Blvd.,  Suite  1400, 
Orlando,  FL  32810.  EOE 
M/F/DA/. 


Manager  of  Customer  Appli¬ 
cations  wanted  by  shipping 
and  container  co.  in  Tampa, 
FL.  Must  have  a  minimum  4 
years  exp.  as  a  Computer 
Systems  Analyst/Programmer 
Analyst  or  related  occupation, 
with  4  yrs.  exp.  with  AS400/ 
iSeries  programming  including 
CL,  RPG,  2  yrs.  exp.  using 
RPGIV/ILE  and  1  yr.  exp.  using 
Robot,  Implementer  and 
Hawkeye  Pathfinder.  Refer  to 
Job  #IMG100  Lykes  Lines 
Limited,  LLC  (CP  Ships),  401 
East  Jackson  St.,  Suite  3300, 
Tampa,  Florida  33602. 


Want  a  new 
IT  career? 


Check  out  our  jobs 


in  the  combined 


CareerJournal.com 


database. 


www.itcareers.com 


Programmer/Analyst  needed  for 
analysis  and  design  of  systems 
solutions  across  multiple  techni¬ 
cal  and  business  environments. 
Requires  3  years  of  experience 
in  job  offered  or  in  related  occu¬ 
pation  of  Programmer.  Exper¬ 
ience  must  include  3  years 
with  Visual  Basic  and  Oracle 
and/or  SQL;  and  2  years  with 
ASP  and  Javascript.  Salary 
offered:  $69,030.  Send  res¬ 
umes  to  Bureau  of  Labor  Stand¬ 
ards,  45  State  House  Station, 
Augusta,  Maine  04333-0045. 
Refer  to  job  order  #38081  for 
Programmer  Analyst. 


Prog/Analyststo  design,  devel¬ 
op/deploy  complex  appls  using 
Cold  Fusion,  Oracle,  Java, 
Jscript,  HTML,  SQL  Server,  Cold 
Fusion  App.  Server,  WebLogic, 
etc.  under  Windows  OS;  ana¬ 
lyze  functional  and  user  reqand- 
new  tech,  to  solve  business 
problems;  test,  troubleshoot 
and  debug  appls.  Require:  B.S. 
or  foreign  equiv  in  CS/Engg  (any 
branch)  field  with  2  yrs  exp  in  IT. 
High  salary.  F/T  position.  Travel 
Required.  Resume  to  HR, 
Smartsoft  International,  Inc., 
4898,  South  Old  Peachtree  Rd, 
Norcross,  GA  30071 


S/W  Enggs  to  analyze,  design 
develop  appls  using  C++,  Java, 
CORBA,  EJB,  JDBC,  JSP, 
Rational  Rose,  CGI,  SQL, 
Oracle,  Crystal  Reports, 
Weblogic  under  Windows/UNIX 
OS;  perform  project  scoping, 
project  planning  project  time/ 
cost  schedules,  quality  of  deliv¬ 
erables;  study,  evaluate  new 
tech/methodologies;  provide 
technical  guidance  for  complex 
user  problems.  Require:  MS  or 
foreign  equiv.  in  CS/Engg.  (any 
branch)  &  1  yr  exp.  in  IT.  High 
Salary.  F/T.  Travel  involved. 
Respond  to:  HR,  Unilinx,  Inc., 
4625  Alexander  Dr.,  Ste  110, 
Alpharetta,  GA  30022. 


Programmer  Analysts:  Plan,  de¬ 
sign,  develop,  configure,  code,  im¬ 
plement  &  analyze  computer  pro¬ 
grams  &  systems.  Modify  existing 
application  and  provide  systems 
support.  Analyze  users  requirement 
to  enhance  system  performance. 
Req.  Bachelor's  degree  or  equiva¬ 
lent  in  CS,  CE,  EE  (Electrical  or 
Electronic  and  Communication  En¬ 
gineering).  Must  be  proficient  in 
either  C++  ,  Oracle,  PowerBuilder, 
MCSE,  CCIE,  Unix  Shell-program¬ 
ming,  CrystalReports.  CCNA,  or 
Rational  Rose.  40hr/wk,  9:00  a.m.- 
5:00  p.m.  Send  resume  to  Think 
Development  Systems,  Inc.,  6292 
Lawrenceville  Hwy.,  Suite-C, 
Tucker,  GA  30084. 


Software  Engineers.  Analyze 
requirements,  formulate  design, 
test,  modify  and  develop  sys¬ 
tems/software  applns;  using 
MQ  Series,  Weblogic,  J2EE, 
RMI,  JMS,  JDBC,  JNDI,  JTA, 
TIBCO,  UML,  Netscape  Direct¬ 
ory  Server,  Oracle,  DB2,  PL/ 
SQL,  etc.  to  determine  feasibili¬ 
ty;  prepare  &  design  specs; 
develop  testing  procedures. 
Reqd.  BS  or  Equiv.  in  edu  & 
exp.  in  CS/Engg/Maths/related 
plus  2  yrs  exp.  Comp,  salary, 
send  resume  to  HR  Surecom 
Inc.,  82  West  Main  Street, 
Northboro,  MA  01532. 


Senior  Software  Engineer  (Port¬ 
land,  Oregon)  -  Responsible  for 
full  life-cycle  development  of  ob¬ 
ject-oriented  multithreaded  Win¬ 
dows  applications  using  Visual 
C++  to  provide  network  wide 
system  solutions  to  report  and 
control  network  consumption 
and  improve  end-user  response 
time.  Develop  algorithms  for 
Socket  based  TCP/IP  applica¬ 
tions  to  manage  distributed 
components  that  align  network 
consumption  for  customers 
needs.  Use  Layered  Service 
Provider  ("LSP")  technology  to 
implement  product  features. 
Must  have  Bach.  deg.  or  equiv. 
in  Comp.  Sci.,  Eng.  or  related 
field.  Must  have  5  yrs  of  exp.  in 
the  job  offered  or  5  yrs  in  a  posi¬ 
tion  involving  full  life  cycle  devel¬ 
opment  of  object-oriented  Win¬ 
dows  applications  using  Visual 
C++.  Exp.  mentioned  may  have 
been  obtained  concurrently  and 
must  include:  (i)  1  yr  of  exp.  de¬ 
veloping  algorithms  for  Windows 
Socket  based  TCP/IP  applica¬ 
tions  to  manage  distributed 
components;  (ii)  2  yrs  of  exp. 
building  multithreaded  apps  for 
Microsoft  Windows  platform; 
and  (iii)  1  yr  of  exp.  implement¬ 
ing  product  features  using  LSP 
technology.  Must  be  legally 
authorized  to  work  in  the  U.S. 
Please  send  resume  to  S. 
Pandya  (REF:SSE),  Centrisoft 
Corp.,  707  Southwest  Washing¬ 
ton,  Suite  1200,  Portland,  OR 
97205. 


Applications  Support  Analyst,  On¬ 
tario,  CA.  Consult  w/  SAP  users  to 
identify  &  analyze  SAP  processes 
&  issues.  Redefine  SAP  process¬ 
es,  recommend  &  help  implement 
changes.  Change,  maintain  &  doc¬ 
ument  Warehouse  SAP  processes 
per  ISO  2000.  Assist  QA  Dept.  & 
processes,  &  act  as  Internal  ISO 
Auditor  for  Configuration  Ctr. 
"Write  up”  user  needs,  prog,  func¬ 
tions,  &  steps  to  develop/modify 
relevant  programs  &  syst;  prep, 
workflow  charts  &  diagrams  re 
same.  Help  resolve  work  problems 
re:  flow  charts,  project  specs,  pro¬ 
gramming.  BS  or  equiv  +  1  yr 
experience,  ind.  QA.  Fluent  SAP 
R/3,  AllClear,  Visual  C++  &  C++, 
HTML,  ASP,  Rational  Rose.  Send 
resume  to  VP,  HR,  En  Pointe 
Technologies,  100  N.  Sepulveda 
Blvd.,  19th  FL,  El  Segundo,  CA 
90245. 


Programmers  to  analyze/ 
design  database  &  other  soft¬ 
ware  appls  using  Oracle,  SQL, 
Visual  Basic,  Active  X, 
FormBuilder  etc.  under 
Windows  and  UNIX  OS;  devel¬ 
op  system  spec;  enhance  and 
modify  existing  appls;  study, 
evaluate  new  tech/methodolo¬ 
gies;  provide  technical  guid¬ 
ance  for  complex  user  prob¬ 
lems.  Requires  B.S.  or  foreign 
equiv.  in  CS/Engg.  (any  branch) 
&  6  months  of  exp.  in  IT.  Apply 
by  resume  to:  HR,  Fourth 
Technologies,  Inc.,  585  Tollgate 
Rd.,  Ste  I  Elgin,  IL  60123. 


Senior  Software  Engineer 
sought  by  legal  information 
services  co.  with  office  in 
Glendale,  CA.  Exp  in  VB, 
OOAD  methodology,  COM, 
UML,  DHTML,  XML,  ASP, 
C++/Java,  IIS,  ADO,  C#, 
.NET,  Oracle,  Crystal  Reports 
and  SQL  Server.  Analyze, 
design,  develop,  test  &  sup¬ 
port  web-based  e-commerce 
applications  for  MS  Windows. 
Resumes  to  HR  Dept.,  CCH 
Legal  Information  Services, 
Inc.,  Ill  Eighth  Ave,  NY,  NY 
10011. 


Get  Ahead  In  Your  Career! 


Meet  Face-To-Face  With  Leading  Employers  At  The... 

Career  FiuR 


CHICAGO,  IL 

Tuesday,  July  29 

Navy  Pier 

600  E.  Grand  Avenue  •  Chicago,  IL  6061 1 

Partial  List  of  Employers  Includes:  ACE  Hardware 
Corporation,  ASAP  Software,  Blockbuster,  Computer 
Associates,  Drug  Enforcement  Administration, 
GlaxoSmithKline,  Liberty  Mutual,  Merck,  Northrop 
Grumman  Corporation,  Office  Depot,  Progressive 
Insurance,  SBC  Communications,  TransUnion,  U.S. 
Border  Patrol,  Verizon  Wireless  and  Wal-Mart  Stores. 


PHILADELPHIA,  PA 

Tuesday,  July  29 

Pennsylvania  Convention  Center 

1 2th  &  Arch  Street  •  Philadelphia,  PA  1 91 07 

Partial  List  of  Employers  Includes:  American  Express 
Financial  Advisors,  ARAMARK  Healthcare  Support. 
Bed  Bath  S  Beyond,  Clear  Channel  Radio,  Clement 
Publishing  Group,  Comcast,  Daimler-Chrysler,  Federal 
Aviation  Administration,  FedEx,  Lockheed  Martin, 
Merck,  Progressive  Insurance.  Sovereign  Bank,  Takeda 
Pharmaceuticals,  Target  Stores  and  The  Pep  Boys. 


Exhibit  Hours  for  Both  Events:  11:30am  -  4:30pm  •  Free  Admission 

Employers  -  To  exhibit,  please  call  Gloriann  Clark  at  310-309-4409. 


For  the  latest  information,  visit  diversitycareerexpos.com 


Trustek,  Inc.  Consulting  firm  is 
seeking  Software  Engg.  w/MS  & 
min.  1  yr.  exp.  or  equiv.  &  Prog. 
Analyst  w/BS  &  2  yrs.  exp.  or 
equiv.  Travel/Relo  required  any¬ 
where  in  US.  C,  C++,  NT,  UNIX, 
Shell,  Peri,  CGI,  Sybase,  .Net 
Studio,  VB.Net,  ASP.Net,  SQL 
Server,  WebPages,  JavaScript, 
VBScript,  CORBA,  HTML/ 
DHTML,  ASP,  CSS,  CPM/DCOM, 
COM+,  Crystal  Reports,  Archi¬ 
tecture,  Erwin,  Developer  2K, 
PL/SQL,  SQL"Plus,  Forms,  Re¬ 
ports,  Express,  Designer  2K, 
Star/Snowflake  Schema,  Model¬ 
ing,  Java.  JSP  XML,  XSL,  XSLT, 
J2EE,  EJB,  WebSphere,  Web- 
Logic,  UML,  Rational  Rose,  JDK, 
Swing,  Struts,  Datawarehousing, 
ETL,  OLAP,  DSS,  Informatica 
(PowerCenter,  PowerMart),  Cog¬ 
nos  (Impromptu,  PowerPlay), 
Brio,  Business  Objects,  SUN, 
Solaris,  HP-UX,  ITO,  Veritas. 
EMC,  SAN,  OpenView,  Oracle 
Clinical,  ClinTrial,  SAS,  FDA  reg¬ 
ulations,  Validations,  Oracle 
Applications,  nQuery,  People- 
Tools,  PeopleCode.  PeopleSoft, 
SAP  R/3,  SapScript,  SmartScript, 
Idocs,  ALE,  EDI,  BASIS,  ABAP, 
BW,  APO,  ITS,  Adaytum,  Cognos 
Business  Suite. Software  Engin¬ 
eer  Position  applicant  should  also 
have  exp.  in  interface  w/hardware 
&  software.  All  applicants  should 
be  able  to  provide  functional 
implementation,  config,  train, 
analyze,  implement,  code,  test, 
backup,  install,  manage,  cus¬ 
tomize,  tuning,  AS-IS  study, 
Internet/Intranet  applications, 
stored  procedures,  triggers 
Create  database  tools,  tables, 
files,  roles,  Indexes,  space  man¬ 
agement  and  re-organize.  Apply 
w/resumes  to  Attn:  Recruiter,  2 
Ethel  Road,  Suite  202-C,  Edison, 
NJ  08817. 


ERP  Business  Process  Manager 


According  to  a  recent  poll  by  Computer-world,  that  included 
1 1,500  IT  employees,  Hershey  is  "The  best  place  to  work  if  you  are 
an  IT  Professional" . 

We  are  currendy  seeking  qualified  professionals  to  sene  as  SAP 
ERP  Business  Process  Managers.  The  key  responsibility  of  this  role 
is  to  act  as  a  bridge  between  the  Information  Services  Group,  and 
the  HR  and  Manufacturing  organizations,  working  primarily  on 
either  the  compensation  and/or  time  management  modules 
of  SAP  (2  open  positions).  In  this  role  you  will  be  responsible  for 
all  aspects  of  the  implementation  lifecycle  including:  complex 
business  process  design,  development  &  optimization,  SAP 
configuration,  strategic  direction  for  the  integration  of  various  SAP 
modules,  testing  and  the  training  and  development  of  customer 
and  junior  team  members.  You  will  also  be  responsible  for 
customer  relationship  management,  project  proposals,  leading 
budgeting  and  resource  planning  within  the  area  of  expertise,  and 
providing  overall  strategic  direction  regarding  the  deployment  of 
SAP  at  Hershey  Foods  Corporation. 

The  ideal  candidate  will  have: 

•  Bachelor's  of  Science  degree 

•  Minimum  of  3  years  of  SAP  design  and  implementation 
and  a  minimum  of  10  years  in  Information  Services  or  an 
operational  business  area 

•  Ability  to  lead  solutions  within  a  functional/business 
process  area 

•  Knowledge  of  business  process  improvement  programs 
within  the  consumer  packaged  goods  industry  or  a 
related  field 


Various  IT  positions  also  available 
We  offer  401  (k)  and  stock  plans.  Please  apply  via  our  website  at: 

www.hersheys.com/careers. 

We  will  only  respond  to  those  individuals  who  will  be 
interviewed.  Equal  Opportunity  Employer  M/F/DA’ 

Hershey  Foods 
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Sr  SW  Engr- As  member  of  SW  developmt.  team,  design  &  develop  SW  &  sustain  co.'s  cutting-edge  telephony  devices.  Will 
develop  &  enhance  serviceability  tools  &  participate  in  design  &  code  reviews.  Will  test  &  integrate  telecom  products  &  pro¬ 
vide  critical  bug  fixes  for  customers.  In  addition,  will  provide  customer  SW  enhancements  &  use  programming/analytical  skills 
in  order  to  provide  services  for  debugging.  Must  have  B.S.  in  Comp.  Eng'g.  Comp.Sci.,  E.E.  or  equiv.  +  5  yrs.  exp.  in  the  job 
offered  or  5  yrs.  progressively  responsible  post-grad.  SW  developmt.  exp.  (5yrs.  exp.  must  include  at  least  2.5  years  exp.  w / 
Telecom  SW  development.)  In  the  alternative,  employer  will  accept  M.S.  in  stated  fields  +  2  yrs  relevant  exp.  Must  have 
knowledge  in  at  least  one  of  the  following  telecom  protocols,  ISDN  or  SS7  Call  processing,  ATM  or  TCP/IP,  as  well  as  strong 
coding  skills  in  C.  40  hrs/wk;  Salary:  $92,833/yr.  Send  2  copies  of  resume  to:  Case  #200201602  and/or  200201644  ,  Labor 
Exchange  Office,  19  Staniford  St  1st  FI,  Boston  MA  02114. 

Sr.  SW  Engr  -  Develop,  integrate,  maintain  &  test  complex  communication  protocols  including,  but  not  limited  to:  Sigtran, 
SS7/CCS7  &  ISDN.  Participate  in  design  &  code  reviews  of  new  SW  &  modifica'ns  to  exist'g  SW.  Develop,  maintain  &  test 
telecom  applications  &  system  SW  responsible  for  configuring  &  controlling  the  system,  internal  communication  between  SW 
entities,  fault  tolerant  &  redundant  operation  of  SW.  Analyze  &  document  computerized  telecom  system  SW  reqs.,  function¬ 
al  specs.,  architectural  specs.  &  design  specs.  Must  have  M.S.  in  Comp.  Eng’g,  Comp.  Sci.,  E.E.  or  equiv.,  +  2  yrs.  exp.  in 
job  offered  or  2  yrs.  exp.  w/telecom  SW  development.  (Exp.  may  be  gained  before  or  after  M.S.).  In  the  alternative,  employ¬ 
er  will  accept  Bachelor's  degree  +  5  yrs.  of  progressively  responsible  post-grad  SW  development  exp.,  including  2  yrs.  tele¬ 
com  SW  developmt.  exp.  Must  have  proficiency  in  C  programming,  as  well  as  knowledge  of  telecom  protocols.  40  hrs/wk; 
Salary:  $92,833/yr.  Send  2  copies  of  resume  to:  Case  #200201646,  2002  Labor  Exchange  Office,  19  Staniford  St  1st  FI, 
Boston  MA  02114. 

Sr.  SW  Engr.-  As  a  member  of  SW  developmt,  team,  design  &  develop  Element/Network  Management  SW.  Will  determine 
SW  developmt.  process  best  practices  including  design  &  code  reviews.  Will  prepare  specs,  for  Element/Network 
Management  SW.  Will  design  &  develop  Plexus  PlexView  Element  Manager  SW.  In  addition,  will  test  &  integrate  EM  SW 
w /  Plexus  9000  &  other  products  developed  by  the  company  as  applicable.  Must  have  B.S.  in  Comp.  Sci./Eng'g, 
Electrical/Electronics  Eng'g  or  equiv.  +  3  yrs.  exp.  in  job  offered  or  3  yrs.  exp.  in  SW  developmt.  Must  have  developmt.  exp. 
w/  element/network  mngmt.  SW  for  the  telecom  industry.  Must  have  exp.  develop'g  SW  applications  on  UNIX  platforms  using 
Java  and/or  C/C++.  40  hrs/wk;  Salary:  $92,833/yr.  Send  2  copies  of  resume  to:  Case  #200201665,  Labor  Exchange  Office, 
19  Staniford  St  1st  FI,  Boston  MA  02114. 

Sr.  SW  Engr.-  As  member  of  SW  developmt.  team,  design  &  develop  SW  &  sustain  co.'s  cutting-edge  telephony  devices. 
Will  develop  &  enhance  serviceability  tools  &  participate  in  design  &  code  reviews.  Will  test  &  integrate  telecom  products  & 
provide  critical  bug  fixes  for  customers.  In  addition,  will  provide  customer  SW  enhancements  &  use  program'g/analytical  skills 
in  order  to  provide  services  for  debugging.  Must  have  M.S.  in  Comp.  Eng'g,  Comp.  Sci.,  E.E.  or  equiv.+  2  yrs.  exp.  in  job 
offered  or  2  yrs.  exp.  w/Telecom  SW  developmt.  (exp.  may  be  gained  before  or  after  M.S.)  In  the  alternative,  employer  will 
accept  Bachelor's  degree  +  5  yrs.  of  progressively  responsible  post-grad  SW  developmt.  exp.  includ'g  at  least  2.5  yrs.  exp. 
w/telecom  SW  developmt.  Must  have  knowledge  in  at  least  one  of  the  following  telecom  protocols:  ISDN,  SS7  Call  pro¬ 
cessing.  or  TCP/IP  as  well  as  strong  coding  skills  in  C.  40  hrs/wk;  Salary:  $92,833/yr.  Send  2  copies  of  resume  to:  Case  # 
200201687,  Labor  Exchange  Office,  19  Staniford  St.,  1st  FI,  Boston  MA  02114. 

Sr.  SW  Engr.-  As  member  of  Technical  Srvcs.  SW  developmt  team,  ensure  integrity  of  design,  developmt.,  implementa'n  & 
testing  of  communications  SW  for  co.'s  cutting-edge  telecom  products.  Resolve  complex  problems  caused  by  anomalies  in 
telecom  SW  for  network  sub-systems.  Reproduce  problems  in  lab.  Isolate  SW  problems  in  affected  module(s).  Develop 
interim  solu'ns  to  problems.  Assess  ways  to  enhance  prod,  reliability  &  serviceability.  Recommend  process  improvements 
to  enhance  service  delivery/offerings.  Work  closely  w/sustain'g  engrs.  to  find  root  cause  analysis  of  reported  anomalies.  Must 
have  B.S.  in  Comp.  Sci./Eng'g,  Electrical/Electronics  Eng'g  or  equiv.  +  5  yrs.  exp.  in  job  offered  or  5  yrs.  exp.  w/  SW  devel¬ 
opmt.  for  Telecom  Industry.  (5  yrs.  exp.  must  be  progressively  responsible  post-grad  exp.)  Must  have  in-depth  knowledge  of 
telecom  protocols  (i.e.  PRI,  SS7,  ATM,  TCP/IP)  &  scripting  languages  (i.e.  TCL/Expect,UNIX  shell  programming  &  PERL  as 
well  as  C/C++).  Must  have  exp.  diagnosing  &  solving  complex  problems  in  telecom/data  networks.  40  hrs/wk;  Salary: 
$92,833/yr.  Send  2  copies  of  resume  to:  Case  #200201688,  Labor  Exchange  Office,  19  Staniford  St  1st  FI,  Boston  MA  02114. 

Sr.  SW  Engr.-  As  a  member  of  SW  developmt.  team,  design  &  develop  Element/Network  Management  SW.  Will  determine 
SW  development  process  best  practices  includ'g  design  &  code  reviews.  Will  prepare  specs,  for  Element/Network 
Management  SW.  Will  design  &  develop  Plexus  PlexView  Element  Manager  SW.  In  addition,  will  test  &  integrate  EM  SW 
w/  Plexus  9000  &  other  products  developed  by  the  co.  as  applicable.  Must  have  B.S.  in  Comp.  Sci./Eng'g, 
Electrical/Electronics  Eng'g  or  equiv.  +  3  yrs.  exp.  in  job  offered  or  3  yrs.  exp.  in  SW  developmt.  Must  have  developmt.  exp. 
w/element/network  management  SW  for  telecom  industry.  Must  have  exp.  develop'g  SW  applications  using  Java  and/or 
C/C++.  40  hrs/wk;  Sal:  $92,833/yr.  Send  2  copies  of  resume  to:  Case  #200201691,  Labor  Exchange  Office,  19  Staniford 
St  1st  FI,  Boston  M A  02114. 

Sr.  SW  Engr.-  As  a  member  of  Tech.  Srvcs.  SW  developmt.  team,  ensure  integrity  of  design,  developmt.,  implementation  & 
testing  of  communications  SW  for  co.'s  cutting-edge  telecom  products.  Resolve  complex  problems  caused  by  anomalies  in 
telecom  SW  or  network  sub-systems.  Reproduce  problems  in  lab.  Isolate  SW  problems  in  affected  module(s).  Develop 
interim  solu'ns  to  problems.  Assess  ways  to  enhance  product  reliability  &  serviceability.  Recommend  process  improvements 
to  enhance  srvc.  delivery/offerings.  Work  closely  w/  sustain'g  engrs.  to  find  root  cause  analysis  of  reported  anomalies.  Must 
have  B.S.  in  Comp.  Sci./Engr'g,  Electronics  Eng'g  or  equiv.  +  5  yrs.  exp.  in  job  offered  or  5  yrs.  exp.  w /  SW  developmt.  for 
Telecom  Industry.  (5  yrs.  exp.  must  be  progressively  responsible  post-grad  exp.)  Must  have  in-depth  knowledge  of  telecom 
protocols  (i.e.  ISDN,  PRI,  SS7,  TCP/IP)  &  scripting  languages  (i.e.  TCL/Expect,UNIX  shell  programming  &  PERL  as  well  as 
C/C++).  Must  have  exp.  diagnos'g  &  solv'g  complex  problems  in  telecom/data  networks.  40  hrs/wk;  Salary:  $92,833/yr. 
Send  2  copies  of  resume  to:  Case  #200201704,  Labor  Exchange  Office,  19  Staniford  St  1st  FI,  Boston  MA  02114. 

Sr.  SW  Engr.-  Develop,  integrate,  maintain  &  test  complex  communication  protocols  including,  but  not  limited  to:  Sigtran, 
SS7/CCS7  &  ISDN.  Participate  in  design  &  code  reviews  of  new  SW  &  modifica'ns  to  exist'g  SW.  Develop,  maintain  &  test 
telecom  applications  &  system  SW  responsible  for  configuring  &  controlling  the  system,  internal  communication  between  SW 
entities,  fault  tolerant  &  redundant  operation  of  SW.  Analyze  &  document  computerized  telecom  system  SW  reqs.,  function¬ 
al  specs.,  architectural  specs.  &  design  specs.  Must  have  M.S.  in  Comp.  Sci./Eng'g,  Electrical/Electronics  or  equiv.,  +  2  yrs. 
exp.  in  job  offered  or  2  yrs.  exp.  w/telecom  SW  development.  (Exp.  may  be  gained  before  or  after  M.S.).  In  the  alternative, 
employer  will  accept  Bachelor’s  degree  +  5  yrs.  of  progressively  responsible  post-grad  SW  developmt.  exp.,  including  2  yrs. 
telecom  SW  developmt  exp.  Must  have  proficiency  in  C  programming,  as  well  as  knowledge  of  telecom  protocols.  40  hrs/wk; 
Sal:  $92,833/yr.  Send  2  copies  of  resume  to;  Case  #200201706,  2002  Labor  Exchange  Office,  19  Staniford  St  1st  FI,  Boston 
MA  02114. 


Business  Analyst  for  NYC  IT  co  to 
research  &  analyze  mktg  &  fin'l 
condns  incl  accts  &  target  clients 
&  eval  alternatives  to  improve  & 
expand  scope  of  current  opera¬ 
tions  &  present  recommenda¬ 
tions.  Analyze  current  fin'l  strate¬ 
gies  &  present  alternative  meth¬ 
ods  of  improving  fin'l  condition. 
Analyze  svcs  &  operations  &  rec¬ 
ommend  alternative  procedures 
to  increase  efficiency.  Analyze 
industry  conditions,  rules  &  regs. 
Utilize  d/base  &  spreadsheet 
s/ware  to  prep  reports.  Dvlp  & 
integrate  new  mgmt  systems  & 
conduct  research.  Bach/equiv  in 
Bus  Admin  &  2  yrs  exp.  Will 
accept  3-yr  college  in  specified 
fields  &  2  Vt  yrs  in  job  offd.  Systec 
Infl,  Inc,  350  5th  Ave,  Ste  7812, 
NY,  NY  10018,  fax  (212)  290- 
2889,  systec@systecusa.com. 

IT  PROFESSIONAL 

www.maximaconsultinq.com  has 
immediate  openings  for  Software 
Engineers  and  Analyst/Program¬ 
mers  for  assignments  in  Boston/ 
North  East  with  the  following  skills: 

INTERNET  COMPUTING 

JAVA  Design  &  Architecture 

JAVA/SWING/EJB’s 

ACTUATE/eTOOLS 

ASP.NET 

QA  TESTERS 

PM/Business  Analysts 

CLIENT/SERVER 

UNIX/C++/PERL/SQL 

Oracle  Financials 

Oracle/Sybase  DBA’s 

UNIX  Admin./NT  Admin. 
VC++/VB/COM/DCOM 

Data  Warehouse  Specialists 

Maxima  Consulting,  Inc. 

27  Water  Street 

Wakefield,  MA  01880-3038 
Careers(5)m.ajc.imaconsulting,cQm 

(781)  246-9500 

Software  Engineer  II:  For  co. 
specializing  in  mktg  &  mnfg  of 
computer  software,  write/modi¬ 
fy  applications,  programs  & 
modules  from  design  specs; 
test,  maintain,  debug,  update  & 
help  establish  quality  assur¬ 
ance  plans.  Req:  BS  or  equiv, 
in  Comp  Sci,  Comp  &  Info  Sci 
or  related  field.  1  yr  exp  in  job 
offered  or  1  yr  exp  as  Pro¬ 
grammer.  Exp  must  incl  object- 
oriented  analysis  &  design  & 
RDBMS  design;  may  be  gained 
while  pursuing  degree.  Pro¬ 
ficiency  in  Visual  C++,  C++, 
Java,  JDBC,  MS  SQL  server, 
ORACLE,  JSP,  HTML  & 
DHTML.  40  hrs/wk.  Send  res. 
to  Computerworld,  Ref  #3540, 
500  Old  Connecticut  Path, 
Framingham,  MA  01701. 

COMPUTERS 

Radiant  Soft  Sol,  Inc.,  a  S/ware 
Consulting  Comp.,  seeks  to  fill 
the  following  Multiple  Openings 
in  Arlington  Heights,  IL  &  unan¬ 
ticipated  locations  in  the  US. 
Sr.  Software  Consultants  (BS  + 
3  yrs  exp),  Business/Systems/ 
Programmer/QA  Analysts  (BS 
+  2  yrs  exp,),  Database 
Analysts  (BS  +  3  yrs  exp.), 
Network  Analysts  (BS  +  2  yrs. 
exp  )  and  IT  Managers  (BS  +  3 
yrs  supervisory  exp).  Respond 
by  resume  to  HR,  855  E.  Golf 
Road,  #1125,  Arlington 

Heights,  IL  60005. 

Programmers  to  analyze/devel¬ 
op  software  appls  using  Oracle 
Apps,  Oracle,  PL/SQL,  Dev 
2000,  etc  under  Windows/UNIX 
OS;  assist  in  customizing  and 
migrating  Oracle  App;  customize 
Forms/Reports  using  Oracle 
Application  standards;  docu¬ 
ment  development  process. 
Require:  BS  or  foreign  equiv.  in 
CS/Engg.  (any  branch)  &  6 
months  of  exp.  In  lieu  of  BS, 
3yrs  of  academic  studies 
towards  a  Bachelor's  degree 
plus  1  yr  of  exp  in  IT  will  be 
accepted.  Travel  involved.  F/T 
position.  Competitive  salary. 
Resume  to;  HR,  Quest 

America. Inc.,  211  East  Ontario 
Street,  Suite  1800,  Chicago,  IL 
60611 

Application  Analysts  & 
Developers,  OH  &  VA.  Soft¬ 
ware  (Reynolds  DMS  & 
Automark  products)  apps 
design  &  development  using 
Visual  InterDev,  BTW  (Bran¬ 
ded  Flow  Technology)  VB, 
VC++,  Businessware,  SQL 
Server  2000  &  ASP/IIS  5.0. 
Req.  BS  in  comp  sci,  engg, 
or  related  field  &  1-2  yr  exp 
in  programming,  develop¬ 
ing,  or  analysis.  Resumes 
to:  K.  Cramer,  Reynolds  & 
Reynolds,  POB  2608, 
Dayton  OH  45401. 
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Position  opening  for  IT  profession¬ 
als  with  min.  2yrs  industry  exp.  in 
(various  skills  combination  reqd.) 
MQ  Series;  XML,  STX  12,  EDI, 
MED  Editor,  PDK,  DTS,  OLAP, 
RPT,  VB  Script,  Dream  Weaver, 
GRC,  AWT,  Websphere,  JDBC.  Vi¬ 
sual  Inter-dev  Foxpro,  Solaris,  Un¬ 
ix,  SQL  Pre  processor,  C,  C++,  Or¬ 
acle  Web  Application  Server,  MTS, 
Pro  *  C.  CSS,  XSL,  CEEDUMP,  ES 
9000,  SynSort,  OAS,  OEM,  CVC, 
SQR,  Peoplesoft,  People  Tools, 
WorkFlow,  RMI,  COBOL  II,  CICS, 
DB2,  IMS  DB/DC,  MVS,  JCL,  V- 
SAM,  File  Aid,  Changeman,  VB,  Ja¬ 
va,  Oracle,  SQL  Server,  etc.  MS  or 
BS  or  equiv  {Engg.  (any  )}  or  CS  or 
Bus  Admin,  or  rel. field.  Travel/reloc. 
reqd.  Resumes  only  to  HR,  3i 
People,  1780  Century  Circle,  Ste  2, 
Atlanta,  GA  30345. 


Software  Engineer.  Devel¬ 
op  core  back-end  technolo¬ 
gies,  primarily  mod_perl  de¬ 
velopment  utilizing  Perl  in  a 
Linux/Unix  &  Java  environ. 
Using  HTML  prog,  on  a 
SQL  d/base  &  RDBMS  sys¬ 
tems.  Req:  BS  in  Comp. 
Sci.,  Comp.  Eng.  or  related 
field.  40-hrs/wk.  Job/Inter¬ 
view  Site:  W.  Hollywood, 
CA.  Send  resume  with  copy 
of  ad  to  Ticketmaster,  8181 
South  48th  Street,  Suite 
100,  Phoenix,  AZ  85044. 


Looking  For 
A 

New  Career? 


The  new 
itcareers.com 
and 

CareersJoumal.com 
combined 
jobs  database 
can  help  you 
find  one. 
Check  us  out! 
www.itcareers.com 


SOFTWARE  ENGINEER  to 
design,  implement  and  deploy 
systems  software,  application 
messaging  protocols,  client/ 
server  and  web  based  applica¬ 
tion  software  using  C/C++,  ASP, 
XML,  Java,  SQL,  T-SQL, 
VBScript,  JavaScript  with  IIS, 
Visual  Studio,  MS  SQL  Server 
and  GNU  C/C++  on  Windows 
XP/2000,  Windows  CE  and 
Linux  platforms;  Test  application 
software  using  automated  test 
and  application  profiling  tools 
including  JProfile  and  JTest  on 
Windows  and  Linux  platforms; 
Develop  application  software 
using  OOAD  and  RUP  method¬ 
ology  under  ISO  9001  and  SEI 
CMM  Level  5  quality  proce¬ 
dures.  Require:  M.S.  degree  in 
Computer  Science/Engineering, 
or  a  closely  related  field  with  2 
yrs  of  exp  in  the  job  offered. 
Extensive  travel  on  assignments 
to  various  client  sites  within  the 
U.S.  is  required.  Competitive 
salary  offered.  Apply  by  resume 
to:  Sophie  Mookerjie,  Software 
Paradigms  International,  Inc., 
3901  Roswell  Rd,  Ste.  134, 
Marietta,  GA  30062;  Attn:  Job 
SB. 


Engineer  -  PSA  Controls  Software 
wanted  to  work  in  Rochester  Hills, 
Ml  to  develop  paint  and  sealing 
systems.  Duties  include  software 
development,  implementation,  tes¬ 
ting  and  on  site/in  plant  debug  and 
runoff.  Essential  functions:  man¬ 
age  the  development  for  paint  and 
sealing  systems,  software  debug 
and  runoff.  Work  with  sales,  pro¬ 
ject  management,  and  installation 
engineers  to  runoff  projects.  Re¬ 
sponsible  for  software  specifica¬ 
tions,  project  status  and  technical 
information,  quoting  and  specifying 
projects  and  training  new  engi¬ 
neers.  Requires  a  Bachelor  of  Sci¬ 
ence  degree  in  Electrical  Engin¬ 
eering,  at  least  two  months  of 
experience  as  a  Software  Pro¬ 
grammer,  and  at  least  one  Bach¬ 
elor  degree  level  course  in  each  of 
the  following:  Industrial  Electronics 
II;  Microprocessors;  Programming. 
40  hours  per  week,  overtime 
varies,  8:00  a.m.  to  5:00  p.m., 
$48,000  per  year.  Employer  paid 
ad.  Send  resume  to  MDCD/ESA, 
P.O.  Box  11170,  Detroit,  Ml  48202, 
refer  to  Reference  No.  210681.  i 


Computer  Programmer.  Duties: 
Assist  w/full  cycle  develop,  of 
voice  recognition  tech,  system 
for  telecoms.  Provide  analysis, 
develop.  &  coding  on  a  UNIX/ 
Solaris  open  system  using  C, 
C++  &  Java.  Support  implem. 
of  new  develop.,  test  appls.  & 
debug  system  defects  &  mal¬ 
functions.  Requires:  B.S.  (or 
foreign  equiv.)  in  Comp.  Sci., 
Eng.  or  related  field  &  2  yrs. 
exp.  in  the  job  offered  or  2  yrs. 
exp.  as  a  Prog./Analyst  or 
Developer.  Concurrent  exp. 
must  incl.:  2  yrs.  exp.  w/full 
cycle  develop,  of  systems  for 
telecoms  &  2  yrs.  exp.  using 
Java.  Send  resume  (no  calls) 
to:  Marcy  Baldwin,  CTG,  Inc.,  3 
Neptune  Dr.,  Ste.  Q17,  Pough¬ 
keepsie.  NY  12601-5571. 


Computer  Professional  (Multiple 
Openings)  W/exp  in  one  or  more 
of  the  following: 

C/C++,  JAVA,  Power  Builder, 
Visual  Basic,  Oracle,  Developer 
2000,  Sybase,  Windows,  Unix 
Admin,  People  Soft,  SQL  Server, 
SAP,  Oracle  Financials,  Cobol, 
Db2,  Cics,  MVS,  JCL,  AS/400 
Lucrative  compensation.  Please 
E-mail  your  Resumes  to  the  fol¬ 
lowing  address: 

INFO@ADVANSOFTUSA.COM 

Attn.  HR  Department 
AdvanSoft  Worldwide,  Inc. 
415  W.  Golf  Road. 

Suite  #15 

Arlington  Heights.  IL  60005 
Visit 

WWW.ADVANSOFTUSA.COM 
For  More  Details 


Infinite  Computing  Systems,  a 
Cedar  Rapids  company  is  seek¬ 
ing  qualified  computer  profes¬ 
sionals.  Current  positions  avail¬ 
able  must  meet  the  following 
requirements.  All  positions 
require  at  least  a  Bach  degree 
(foreign  Bach  degrees  are 
acceptable).  We  may  have 
additional  positions  available  in 
addition  to  the  ones  listed. 
Multiple  positions  are  likely 
available.  Candidate's  salary 
relative  to  experience/skills. 
Candidates  must  be  willing  to 
relocate  and  travel  as  needed. 

2  yrs  exp: 

-  Expeditor,  IDMS,  DB2, 

COBOL,  QMF 

-  CRM  (e.g.  SAP,  Peoplesoft), 
Java,  HTML,  Weblogic  or 
Websphere 

-  VB,  Java,  SQL,  ASP,  .net, 

SQL  Server,  IIS 

-  VB,  Developer  2000,  SQL, 
Oracle  Apps  (functional/ 
Technical) 

-  Easytreive,  QMF,  MF-Cobol, 
CICS,  SAS,  TSO/ISPF 

-  C,  C++,  GUI,  SQL,  Oracle  or 
Sybase  or  Informix 

Send  resume  and  cover  letter: 
Raj  Inani,  President,  Infinite 
Computing  Systems,  Inc.,  230 
2nd  Street  -  Ste  214,  Cedar 
Rapids,  IA  52401. 


Director  of  Product  Marketing 

Changing  the  world  may  take 
longer  than  you  thought.  But 
changing  the  world  of  business  is 
definitely  do-able.  As  the  world's 
leading  supplier  of  business  solu¬ 
tions,  SAP  has  been  changing 
the  way  businesses  run  for  the 
past  30  years.  And  we  aren't  plan¬ 
ning  on  stopping  anytime  soon. 
We're  looking  to  give  the  brightest 
minds  in  the  industry  the  opportu¬ 
nities,  freedom,  and  stimulation 
that  only  a  world  leader  like  SAP 
can  provide. 

For  immediate  consideration, 
please  visit  www.sap.Qom/usa/ 
employ,  go  to  the  Employment 
Opportunity  section  and  search 
for  Job  ID  #2513.  We  offer  an 
excellent  benefits  package.  EOE 


SENIOR  PROGRAMMER/ANA¬ 
LYST  to  analyze,  design,  devel¬ 
op,  test,  implement  and  maintain 
GIS  applications  using  VB,  ODL, 
Perl,  Microstation,  MDL,  C,  C++, 
Java,  FRAMME,  Web  View,  Field 
View,  Geo-Media,  Oracle,  PL/ 
SQL,  VC++,  ASP,  IIS,  VBScript, 
HTML  and  SQL  Server  under 
Windows  NT  and  UNIX  operating 
systems.  Require:  B.S.  degree  in 
Computer  Science,  an  Engineer¬ 
ing  discipline,  or  a  closely  relat¬ 
ed  field  with  2  yrs.  of  exp.  in  the 
job  offered.  Extensive  travel  on 
assignment  to  various  client  sites 
within  the  U.S.  is  required.  Com¬ 
petitive  salary  offered.  Send  res¬ 
ume  to:  Murli  N.  Reddy,  Charter 
Global  Inc.,  5445  Triangle  Pkwy., 
Ste.  190,  Norcross,  GA  30092; 
Attn:  Job  W. 


Sr.  Software  Engineer:  Design, 
development,  enhancement  and 
implementation  of  customized 
computer  software  in  a  peer-to- 
peer  and  client/server  environ¬ 
ment  utilizing  Riposte  technology. 
This  will  include  3-tier  Web-based 
applications  on  a  distributed  mes¬ 
saging  system  and  archiecting  of 
databases  with  an  emphasis  on 
minimizing  bandwidth  require¬ 
ments.  Will  serve  as  Technical 
Manager.  Must  have  Masters  or 
equivalent  in  Computer  Science, 
Engineering  or  related.  Must  have 
3  yrs  exp.  in  job  offered  or  3  yrs 
exp.  in  database  development. 
Experience  must  include  Riposte 
technology.  Salary:  $102,500/yr. 
Hrs:  9:00am-5:00pm,  40/wk 

Please  send  2  copies  of  resume 
to:  Case  #200202089.  Labor 
Exchange  Office,  19  Staniford  St.. 
1st  FI.,  Boston.  MA  02114. 


Business  Process  Analyst.  Work 
Sched  9:00AM-5:00PM  40  hrs/wk 
$84,000.00  P/A.  Evaluate,  analyze, 
develop  &  support  corporate  Com¬ 
munications  &  Information  Net¬ 
work,  for  all  corporate  facilities 
(vehicle  assembly  plants  &  compo¬ 
nent  mfg  plants)  in  NA  (U.S., 
Canada  &  Mexico)  &  Germany 
Serve  as  a  lead  web  developer  for 
corporate  Internet  &  Intranet.  Act  as 
a  liaison  between  development 
teams  in  the  U.S.  &  Germany  to 
implement  global  web  projects. 
Evaluate,  define  software  testing 
methods,  redesign  infrastructure  & 
process,  &  analyze  systems  using 
Unix-based  systems,  Oracle.  & 
Universal  DataBase  database  man¬ 
agement  system  using  object  ori¬ 
ented  methodologies,  &  design/ 
install  client  server  systems  using 
Java.  Analyze,  design,  implement, 
deploy  &  support  of  client  server 
applications  networks  running 
Novell,  Unix,  &  DB2  mainframe 
systems  at  corporate  levels.  Use 
multiple  application  development 
tools  including  WebSphere,  Visual 
Age  for  Java,  &  UDB,  PVCS  &  oth¬ 
ers  to  develop  3-tiered  web  appli¬ 
cations.  Work  in  technical  environ¬ 
ment  including  Unix.  SUN  Solaris  & 
Windows  NT.  Improve  all  aspects  of 
internet/intranet  applications  as 
well  as  underlying  business  pro¬ 
cesses.  Design  &  implement  portal 
infrastructure  for  e-business  plat¬ 
form  using  Netscape  &  IBM  tech¬ 
nologies.  Bachelor  (or  equivalent), 
Computer  Science  &/or  Computer 
Engineering.  One  yr.  exp.  in  Job  or 
Related  Occupation  of  Programmer 
Analyst.  One  yr.  of  Related  Occu¬ 
pation  exp.  must  include  using  mul¬ 
tiple  application  development  tools 
including  WebSphere,  Visual  Age 
for  Java,  &  UDB,  to  develop  3- 
tiered  web  applications,  which  may 
be  concurrent  with  Related  Occu¬ 
pation  exp.  Employer  Paid  Ad. 
Send  resume  to  MDCD,  PO  Box 
11170,  Detroit.  Ml  48202, 
Ref.#211383. 


Senior  Proarammer/Analvst:  Per¬ 
form  systems  development  and 
support  work  for  Oracle-based 
financial  applications,  incl.  Oracle 
Financials  &  Time  Billing.  Specific 
duties:  systems  analysis,  design 
&  testing;  software  development; 
preparation  of  systems  &  user 
documentation;  development  of 
system  designs;  production  sup¬ 
port  of  installed  applications  (e.g., 
troubleshooting);  development  of 
efficient  and  effective  software 
solutions;  contribution  to  opera¬ 
tional  processes  by  analyzing 
and  suggesting  improvements  in 
development  approach,  method¬ 
ology  &  documentation.  Must  use 
Oracle  SQL,  UNIX,  PL/SQL.  Min. 
reqs:  Bachelor's  degree  in  Comp. 
Sci.,  Engineering,  related  field.  + 
2  yrs  exp.  in  position  offered  or  2 
yrs  exp.  in  software  engineering, 
programming,  or  relevant  field. 
Must  also  have  knowledge  of 
Oracle  SQL  (Reporter  2.5,  Forms 
4.5  or  higher)  PL/SQL.  UNIX, 
plus  exp.  in  structural  systems  life 
cycle  methodology,  developing 
extensions  to  Oracle  Applications 
10.7.  Must  have  unrestricted 
authorization  to  work  in  U.S.  M-F, 
8:30  AM-5:30  PM,  40+  hrs/wk. 
Salary:  $75, 000-$85, 000/year. 
An  EOE.  Send  2  copies  of 
resume  to  Case  No.  200201967, 
Labor  Exchange  Office,  19 
Staniford  St..  1st  FI..  Boston.  MA 
02114. 


Systems  Analyst:  Resp.  for  ana¬ 
lyzing  user  requirements,  proce¬ 
dures.  &  problems  to  design, 
develop.  &  test  application  soft¬ 
ware  to  automate  processing,  or 
to  improve  existing  computer 
systems.  Review  computer  sys¬ 
tem  capabilities  &  workflow. 
Req:  Bachelor's  degree  in  Comp. 
Sci,  Engg.  Math  or  Tech  plus  2 
years  exp.  in  job  offered  or  in  rel 
occupations.  Exp.  must  incl. 
Oracle,  MFC.  VC++  &  Topend. 
40  hrs./wk  Please  apply  through 
resumes  only  to  HR  Dept., 
Capricorn  Systems  Inc.,  3569 
Haversham  at  Northlake,  Bldg  K, 
Tucker.  GA  30084. 
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Lack  of  licensing  Revives 
Criticism  of  Settlement 

Microsoft’s  terms  draw  DOJ’s  concern 


BY  PATRICK  THIBODEAU 

WASHINGTON 

KEY  PROVISION  of 
the  U.S.  settlement 
with  Microsoft 
Corp.,  the  licensing 
of  server  interoperability  pro¬ 
tocols,  has  attracted  scant  in¬ 
terest  from  vendors. 

And  that  has  brought 
renewed  criticism  of 
the  settlement,  which 
was  announced  near¬ 
ly  two  years  ago. 

Only  four  companies  have 
received  licenses  under  the 
settlement,  including  two  ma¬ 
jor  storage  vendors,  according 
to  a  report  released  last  week 
by  the  U.S.  Department  of  Jus¬ 
tice  (DOJ)  assessing  the  settle¬ 
ment.  The  administration  and 
states  that  backed  the  settle¬ 
ment  criticized  Microsoft’s  li¬ 


censing  terms  in  the  report. 

But  two  of  the  companies 
that  acquired  licenses,  EMC 
Corp.  in  Hopkinton,  Mass., 
and  Network  Appliance  Inc.  in 
Sunnyvale,  Calif.,  said  the  li¬ 
censes  will  be  used  to  assure 
corporate  customers  that  their 
storage  products 
won’t  be  hindered 
by  interoperability 
problems  with  Mi¬ 
crosoft  products. 

“We  see  it  as  highly  benefi¬ 
cial,”  said  Mike  O’Neill,  senior 
director  for  strategic  alliances 
at  Network  Appliance.  “It  be¬ 
comes  very  valuable  to  a  cus¬ 
tomer  to  know  that  the  solu¬ 
tion  that  they  are  investing  in 
. . .  has  a  pretty  lengthy  half- 
life  to  it,”  he  said. 

The  protocols  will  be  used 
in  network-attached  storage 


(NAS)  products  —  special- 
purpose  file  servers  that  sit  in 
front  of  storage  arrays,  interact 
with  Microsoft  servers  and  al¬ 
low  file  access  over  a  network. 

Tom  Joyce,  senior  director 
of  NAS  product  marketing  at 
EMC,  said  the  license  means 
that  if  Microsoft  changes  tech¬ 
nology  direction,  “we’re  in 
sync  with  them.”  Without  the 
license,  EMC  would  have  to  re¬ 
verse-engineer  the  protocols. 

Steve  Kenniston,  an  analyst 
at  Enterprise  Storage  Group 
Inc.  in  Milford,  Mass.,  said, 
“The  fear  has  always  been  that 
no  matter  what  you  did,  Mi¬ 
crosoft  could  change  the  rules 
on  you.” 

But  the  royalties,  rates  and 
other  terms  that  Microsoft  set 
for  the  licenses  have  raised 
government  concern.  Accord¬ 
ing  to  the  DOJ  report,  “further 
steps  may  need  to  be  taken” 
on  the  licensing  terms,  includ- 


From  20  to  1 


THEN:  20  states,  later  joined 
by  the  Clinton  administration, 
sued  Microsoft  in  1998,  charg¬ 
ing  the  company  with  antitrust 
violations. 


NOW:  Massachusetts  is  the 
only  state  still  pursuing  an  ap¬ 
peal  of  U.S.  District  Judge 
Colleen  Kollar-Kotelly’s  ruling 

that  the  Bush  administration- 
backed  settlement  was  in  the 
public  interest.  West  Virginia, 
the  other  holdout,  settled  in  June. 


NEXT:  The  U.S.  Court  of  Ap¬ 
peals  will  hold  a  hearing  Nov. 

4  on  Massachusetts'  appeal. 


ing  possible  new  court  orders. 
A  hearing  is  set  for  July  24. 

The  two  other  companies 
receiving  licenses  are  VeriSign 
Inc.  in  Mountain  View,  Calif., 
which  plans  to  use  protocols 
in  its  security  work,  and  media 
developer  Starbak  Communi¬ 
cations  Inc.  in  Waltham,  Mass. 

Microsoft  spokesman  Jim 
Desler  said  the  company  is 
working  with  the  government 
on  the  licensing  terms  and  is 


open  to  additional  changes. 

“We  welcome  government 
feedback,  and  hopefully, 
through  a  constructive  proc¬ 
ess,  we  can  make  refinements 
and  adjustments  to  the  pro¬ 
gram,”  he  said. 

But  Microsoft  critics,  in¬ 
cluding  trade  groups  repre¬ 
senting  the  company’s  rivals, 
say  the  paucity  of  companies 
acquiring  licenses  affirms 
their  earlier  complaints. 

The  “settlement  is  meaning¬ 
less,”  said  Edward  Black,  pres¬ 
ident  of  the  Computer  &  Com¬ 
munications  Industry  Associa¬ 
tion  in  Washington,  who  said 
the  agreement  gave  Microsoft 
too  much  power  to  set  licens¬ 
ing  terms  and  conditions. 

But  Hilliard  Sterling,  an 
antitrust  expert  at  Much  She- 
list  Freed  Denenberg  Ament  & 
Rubenstein  PC  in  Chicago, 
said  the  licensing  outcome 
“may  be  indicative  of  the  ab¬ 
sence  of  any  real  need.”  > 
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MCI  Contracts 

while  a  Government  Services 
Administration  review  is  un¬ 
der  way,  according  to  pub¬ 
lished  reports. 

David  Drabkin,  deputy  asso¬ 
ciate  administrator  for  acqui¬ 
sition  policy  at  the  GSA,  ac¬ 
knowledged  that  his  office  is 
working  on  a  formal  request 
by  the  GSA’s  inspector  general 
to  determine  whether  MCI  is 
“presently  responsible”  or  if  it 
should  be  suspended  or  de¬ 
barred  [QuickLink  39203]. 

“In  this  case,  the  recommen¬ 
dation  that  came  from  our  [in¬ 
spector  general]  wasn’t  ac¬ 
companied  by  any  in-depth  in¬ 
vestigative  work  showing 
what  the  processes  were  that 
failed  in  the  company  and  that 
possibly  led  to  them  not  being 


presently  responsible,”  said 
Drabkin.  “We  have  to  get  a  lit¬ 
tle  more  information  before 
we  decide.” 

The  ramifications  of  debar¬ 
ment  could  be  enormous  for 
government  agencies.  MCI  re¬ 
mains  a  critical  federal  con¬ 
tractor,  holding  either  prime 
or  subcontractor  status  on  a 
wide  range  of  contracts,  in¬ 
cluding  vital  U.S.  Department 
of  Defense  programs. 

Major  Disruption 

In  a  May  30  memorandum, 
GSA  General  Counsel  Ray¬ 
mond  McKenna  stated  that 
any  shift  away  from  MCI 
would  disrupt  telecommuni¬ 
cations  services  to  a  broad 
swath  of  federal  agencies,  in¬ 
cluding  military,  law  enforce¬ 
ment  and  homeland  security 
organizations. 

“Long-distance  voice  ser¬ 


vice  to  the  Pentagon,  the 
FBI’s  Trilogy  data  network, 
the  National  Weather  Ser¬ 
vice’s  Weather  Net,  the  Social 
Security  Administration’s  na¬ 
tional  voice  and  data  networks 
and  the  Centers  for  Medicare 
and  Medicaid  Service’s  Medi¬ 
care/Medicaid  Hotline  could 
be  jeopardized,”  wrote  Mc¬ 
Kenna. 

Also,  MCI’s  prices  remain 
the  best  choice  for  the  govern¬ 
ment,  McKenna  said,  adding 
that  agencies  would  likely 
have  to  bear  “multimillion- 
dollar  expenses”  to  switch  to 
other  carriers. 

Vance  Hitch,  CIO  at  the  U.S. 
Department  of  Justice,  ac¬ 
knowledged  that  a  suspension 
or  debarment  could  disrupt 
services  and  introduce  new 
expenses,  especially  for  the 
FBI’s  Trilogy  program  —  a 
$400  million  network  effort 


started  in  March. 

“The  FBI  has  just  gone 
through  a  very  aggressive  and 
high-risk  effort  to  get  Trilogy 
in  place  and  stable,”  he  said. 

“It  would  be  very  disruptive 
to  have  to  back  off  that  and 
change.” 

A  spokesman  for  the  De¬ 
fense  Information  Systems 
Agency  (DISA),  the  Defense 
Department’s  telecommunica¬ 
tions  and  network  manage¬ 
ment  agency,  said  a  thorough 
review  of  all  MCI  contracts  is 
now  under  way,  and  officials 
are  evaluating  alternative  ser¬ 
vice  providers  to  minimize  the 
impact  if  MCI  is  debarred. 

The  DISA  spokesman  noted 
that  some  existing  contracts, 
particularly  those  related  to 
national  security,  may  remain 
in  effect  after  any  suspension 
or  debarment. 

Ken  Smalling,  a  spokesman 


for  Electronic  Data  Systems 
Corp.,  which  relies  on  MCI  for 
wide-area  network  services 
for  its  $6.9  billion  Navy/Ma¬ 
rine  Corps  Intranet  (N/MCI) 
contract,  said  Plano,  Texas.- 
based  EDS  has  the  relation¬ 
ships  in  place  to  switch  to  al¬ 
ternative  service  providers  if 
necessary.  He  added  that  so 
far,  MCI  has  met  or  exceeded 
service  requirements  under 
the  N/MCI  contract  [Quick¬ 
Link  39264]. 

Morton  Bahr,  president  of 
the  Washington-based  Com¬ 
munications  Workers  of  Amer¬ 
ica,  which  supports  debarment 
of  MCI,  said  the  government 
has  plenty  of  viable  alterna¬ 
tives.  “Clearly,  both  AT&T  and 
Sprint,  with  national  networks 
that  equal  and  surpass  that  of 
MCI,  [would]  have  no  problem 
handling  all  available  busi¬ 
ness,”  said  Bahr.  I 
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FRANK  HAYES  ■  FRANKLY  SPEAKING 


Open  for  Business 

WHAT,  OH  WHAT,  has  happened  to  these  open- 

source  people?  At  last  week’s  O’Reilly  Open 
Source  Convention  in  Portland,  Ore.,  I  didn’t  hear 
a  lot  about  the  philosophy  and  politics  of  “the 
movement.”  I  didn’t  hear  bitter  fights  over  which 
open-source  license  is  best,  or  endless  fretting  about  the  confusion 
over  what  the  free  in  free  software  means  —  free  as  in  beer?  Free  as 
in  ride?  Free  as  in  not  in  jail? 

What  I  did  hear  a  lot  about  was  business. 


And  not  just  the  business  of  selling  Linux 
operating  systems,  or  selling  hardware  bundled 
with  MySQL  databases,  or  selling  services  to  in¬ 
stall  and  maintain  Apache  Web  servers  and  Perl 
scripts.  No,  these  open-source  people  were  talk¬ 
ing  about  the  kind  of  business  issues  that  mat¬ 
ter  to  corporate  IT:  how  to  cost-justify  projects, 
how  to  stay  connected  with  user  needs,  how  a 
company  can  innovate  by  using  free  software  — 
not  just  profit  by  selling  it. 

So  here  was  book  publisher  Tim  O’Reilly, 
sponsor  of  the  conference,  talking  about  a  para¬ 
digm  shift  in  business  models,  in  which  “open- 
source  application”  doesn’t  just  mean  Open- 
Office  but  also  refers  to  Google  and  Yahoo  and 
Amazon.com  —  companies  running  on  open- 
source  software  but  using  it  in  some  very  pro¬ 
prietary  ways. 

And  over  there  was  Ward  Cunningham,  one 
of  the  creators  of  the  extreme  programming  ap¬ 
proach  to  software  development,  talking  about 
Fit,  an  open-source  testing  tool  designed  to  link 
managers,  developers  and  business  users  while 
applications  are  being  developed. 

Wait  —  managers?  Business  models?  Since 
when  does  the  unstructured,  unbusinesslike 
open-source  world  worry  about  this  stuff?  And 
O’Reilly  and  Cunningham  weren’t 
alone  —  the  program  was  full  of 
presentations  on  open-source  busi¬ 
ness  models  that  matter  to  corpo¬ 
rate  IT,  not  just  Red  Hat  wannabes, 
and  on  open-source  software  and 
techniques  that  apply  directly  to 
what  corporate  IT  shops  do. 

What  happened  to  all  the  anti¬ 
capitalist,  anticorporate  rhetoric 
that  used  to  make  the  free-software 
crowd  so  easy  for  corporate  IT 
people  to  dismiss?  Oh,  it’s  still 
around.  It’s  just  not  where  the 
action  is  anymore. 


Now  the  action  lies  in  doing  business  with 
open-source. 

That  means  staying  focused  on  the  fact  that 
you  get  your  business  advantage  from  your 
data,  not  your  applications.  And  the  fact  that 
business  conditions  change  constantly,  so  your 
software  has  to  keep  changing  or  it  will  fall  out 
of  sync.  And  the  fact  that  real  enterprise  soft¬ 
ware  depends  on  the  people  who  use  it  as  much 
as  those  people  depend  on  the  software. 

Yeah,  that’s  all  stuff  they  were  discussing  in 
Portland.  A  long  way  from  debates  about  poli¬ 
tics,  isn’t  it? 

No  wonder  every  big  software  vendor  is  play¬ 
ing  an  open-source  card.  Open-source  is  more 
focused  on  IT  for  doing  business  than  those 
other  vendors  are.  In  fact,  it’s  more  focused  on 
that  challenge  than  many  corporate  IT  people. 

And  today,  that  makes  open-source  a  real 
threat  to  the  status  quo  for  both  vendors  and  IT 
shops.  It’s  one  thing  to  change  the  way  software 
is  built  and  distributed.  It’s  far  more  radical  to 
change  the  way  IT  is  used  to  do  business. 

All  of  which  should  be  a  wake-up  call  for  cor¬ 
porate  IT.  Paying  close  attention  to  open- 
source  is  no  longer  optional.  You  don’t  have  to 
buy  open-source  philosophy  or  politics  or  even 
products.  But  if  open-source  really 
is  where  the  interesting  thinking 
about  IT  and  business  is  being 
done,  you  need  to  stay  on  top  of  it. 

So  pay  attention  to  open-source. 
Track  it.  If  you  spot  a  good  idea, 
steal  it  or  adapt  it  or  repurpose  it. 
Let  the  open-source  crowd  do  the 
heavy  lifting;  you  can  cherry-pick 
whatever  is  most  innovative  or  in¬ 
teresting  or  useful  to  you. 

Just  don’t  ignore  it  —  or  in  a  few 
years,  you  could  be  wondering 
what,  oh  what,  has  happened  to 
your  IT  shop.  I 


frank  hayes,  Computer- 
world's  senior  news  colum¬ 
nist,  has  covered  IT  for  more 
than  20  years.  Contact  him  at 

franK.hay8S@computwwoHd.com. 


Switcheroo 

PCs  are  randomly  dropping  off  the  network,  and  this 
big  contractor  is  about  to  lose  the  contract  because  of 
it.  In  a  last-ditch  effort,  consultant  pilot  fish  is  called  in, 
and  he  finds  the  problem:  a  network  switch  he  knows 
from  experience  is  flaky.  But  why  didn’t  the  contrac¬ 
tor's  staff  spot  it?  “When  they  were  testing,  they  used 
a  packet  sniffer  and  had  to  replace  that  switch  with  a 
hub  so  they  could  monitor  both  sides  simultaneously," 
sighs  fish.  “Then  they  put  it  back  before  they  left." 


SHARK 

TANK* 


Stuck 

User  tells  sup¬ 
port  pilot  fish 
that  she  knocked 
a  key  off  her  lap¬ 
top.  She  replaced  it,  but 
now  it  won’t  work.  Is  the 
key  loose?  fish  asks. 

“Not  now,”  user  replies. 
What  do  you  mean,  not 
now?  fish  asks.  “It  was 
loose,  but  I  fixed  it,”  user 
says.  “I  used  super  glue  " 

Stripped 

Layoffs  are  coming,  so 
this  insurance  compa¬ 
ny's  managers  rank  all 
employees  for  future  ter- 

•vtlnnitnn  “TW  mAinUnin 

mmation.  10  maintain 
secrecy,  they  shredded 
the  printed  spreadsheets 
with  the  ratings,”  says  a 
pilot  fish  there.  “Unfor¬ 
tunately,  the  spread¬ 
sheets  were  printed  in 
landscape  mode,  so  the 
shredder  blades  separat¬ 
ed  each  employee  and 
rating,  by  name,  on  his 
own  strip  of  paper.  After 
I  came  across  them  in 
the  recycling  bin,  I  knew 
each  person’s  rating  -  all 
126  of  them” 

Stymied 

After  top  management 
lays  off  every  program¬ 
mer  in  the  department 
except  him,  overworked 
pilot  fish  fakes  a  vaca¬ 
tion  day.  When  he  re¬ 
turns,  he  finds  out  his 
manager  is  in  hot  water 
with  the  boss.  The  com¬ 


plaint?  Fish 
groans,  “They 
said  she  wasn’t 
providing  ade¬ 
quate  pro¬ 
gramming  coverage  for 
the  department.” 


|  Shrunk 

|  Pilot  fish  notices  that 
I  the  nearly  finished  new 
j  computer  room  uses  the 
j  6’8”  door  from  the  old 
j  glass  house.  The  equip- 
j  ment  racks  are  67”,  fish 
j  says  -  how  will  we  get 
i  them  in?  “Roll  them  from 
!  the  old  room  into  the 
j  new  one,”  says  confrac- 
|  tor.  But  the  new  room 
j  has  an  8-inch  raised 
\  floor,  fish  points  out. 
j  “The  design  was  quickly 
j  modified,”  he  says,  “to 
j  include  an  8-foot  door.” 

:  Stopped 

j  It’s  the  late  1960s,  and 
j  this  pilot  fish  discovers  - 
;  the  hard  way  -  that  if 
j  anyone  hits  the  main- 
j  frame’s  stop  button,  the 
j  start  button  won’t 
j  restart  it;  it  has  to  be 
I  completely  rebooted, 
j  Luckily,  a  vendor  engi- 
I  neer  and  his  boss  are 
j  visiting,  and  fish  de- 
j  scribes  the  problem, 
j  “Impossible,”  engineer 
i  says.  “Let  me  show 
j  you  ”  Says  fish,  “I  still 
j  remember  me  and  his 
•  boss  yelling  *No!’  as  he 
i  reached  out  and  hit  the 
\  stop  button.” 


OFEED  THE  SHARK!  Send  your  true  tale  of  IT  life  to 
sharky@computerworid.com.  You  snag  a  snazzy 
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Oracle’s  Public  Commitment 
to  PeopleSoft  Customers 
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We  will  not  shut  down  PeopleSoft  products. 

You  will  not  be  forced  to  convert  to  Oracle  E-Business  Suite  applications. 

We  will  provide  high  quality,  truly  global  customer  service  for  PeopleSoft  products  through 
our  award-winning  customer  support  organization,  which  will  include  PeopleSoft  specialists. 

We  will  extend  the  support  period  for  PeopleSoft  products  beyond  the  timeframe 
PeopleSoft  itself  has  committed  to  and  into  the  next  decade. 

We  will  take  no  action  that  reduces  the  functionality  of  your  PeopleSoft  implementations. 

We  will  increase  the  value  of  your  PeopleSoft  investments  through  ongoing  enhancements 
and  maintenance  delivered  by  one  of  the  largest  software  development  organizations  in 
the  world. 


If  and  only  if  you  elect  to  do  so,  you  may  move  to  the  Oracle  E-Business  Suite  via  FREE 
module-for-module  upgrades. 


Don’t  be  a  victim  of  scare  tactics.  We  would  not  offer  more  than  $6  billion  in  cash  unless  we  really 
wanted  you  to  be  our  customers.  Our  investment  only  pays  off  for  our  shareholders  if  we  keep  you 
happy.  And  we  will.  Customer  satisfaction  is  our  highest  priority. 

We  know  how  to  do  this.  Ask  any  customer  from  our  Rdb  database  acquisition  from  Digital 
Equipment  Corporation.  Nearly  nine  years  later,  we  are  still  providing  world-class  support  to 
thousands  of  Rdb  customers  running  mission-critical  applications. 


The  solicitation  and  the  offer  to  buy  PeopleSoft 's  common  stock  is  only  made  pursuant  to  the  Offer  to  Purchase  and  related  materials  that 
Oracle  Corporation  and  Pepper  Acquisition  Corp.  filed  on  June  9, 2003,  as  amended  June  18, 2003.  Stockholders  should  read  the  Offer  to 
Purchase  and  related  materials  carefully  because  they  contain  important  information,  including  the  terms  and  conditions  of  the  offer. 
Stockholders  can  obtain  the  Offer  to  Purchase  and  related  materials  free  at  the  SEC’s  website  at  www.sec.gov,  from  Credit  Suisse  First 
Boston  LLC,  the  Dealer  Manager  for  the  offer,  from  MacKenzie  Partners,  the  Information  Agent  for  the  offer,  or  from  Oracle  Corporation. 
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